b'   October 1, 2004\n\n\n\n\nInformation Technology\nManagement\nReport on Defense Civilian Pay\nSystem Controls Placed in Operation\nand Test of Operating Effectiveness\nfor the Period March 1, 2004\nthrough September 10, 2004\n(D-2005-001)\n\n\n\n\n                 Department of Defense\n             Office of the Inspector General\n\n                                   Constitution of\n                                  the United States\n\n     A Regular Statement of Account of the Receipts and Expenditures of all public\n     Money shall be published from time to time.\n                                                             Article I, Section 9\n\x0c                              INSPECTOR      GENERAL\n                              DEPARTMENT OF DEFENSE\n                                400 ARMY NAVY DRIVE\n                           ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n                                                                         October I, 2004\n\nMEMORANDUM\n      .\n                   FOR DIRECfOR,      DEFENSE FINANCE AND ACCOUNTING\n                           SERV1CE\n                         DIRECTOR, DEFENSE INFORMATION SYSTEMS\n                          AGENCY\n\nSUBJECT: Report on the Defense Civilian Pay System (Report No. D-2005-001)\n\n        Weare providing this report for your infonnation and use. No written response to\nthis report is required. Therefore, we are publishing this report in final form.\n\n        We appreciate the courtesies extended to the staff. Questions should be directed\nto Ms. Addie M. Beima at (703) 604-9139 (DSN 664-9139) or Ms. DOlUlaA. Roberts at\n(703) 604-9136 (DSN 664-9136). Ifmanagement requests, we will provide a formal\nbriefing on the results.\n\n                               By direction of the Deputy fuspector General for Auditing\n\n\n                                7lU~\n                                 Paul J~an:tto, CPA\n                               Assistant Inspector General\n                               Defense Financial Auditing\n                                         Service\n\x0cTable of Contents\n\nSection I\n      Independent Service Auditors\xe2\x80\x99 Report                                             1\n\nSection II\n      Description of DCPS Operations and Controls Provided by DFAS and DISA           7\n\nSection III\n      Control Objectives, Control Activities, and Tests of Operating Effectiveness    17\n\nSection IV\n      Supplemental Information Provided by DFAS and DISA                             103\n\n\nAcronyms and Abbreviations                                                           107\n\nReport Distribution                                                                  109\n\x0cSection I: Independent Service Auditors\xe2\x80\x99 Report\n\n\n\n\n                       1\n\x0c2\n\x0c                                                                           October 1, 2004\n\n\nMEMORANDUM FOR DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                 SERVICE\n               DIRECTOR, DEFENSE INFORMATION SYSTEMS\n                 AGENCY\n\nSUBJECT: Report on the Defense Civilian Pay System Controls Placed in Operation and\n         Tests of Operating Effectiveness\n\nWe have examined the accompanying description of the general computer and\napplication controls related to the Defense Civilian Pay System (DCPS) (Section II).\nDCPS is sponsored and used by the Defense Finance and Accounting Service (DFAS).\nThe system is jointly maintained and technically supported by the Defense Information\nSystems Agency (DISA) and technical support elements of DFAS. As such, the DCPS\ngeneral computer and application controls are managed by both DISA and DFAS. Our\nexamination included procedures to obtain reasonable assurance about whether (1) the\naccompanying description presents fairly, in all material respects, the aspects of the\ncontrols at DFAS and DISA that may be relevant to a DCPS user organization\xe2\x80\x99s internal\ncontrol as it relates to an audit of financial statements; (2) the controls included in the\ndescription were suitably designed to achieve the control objectives specified in the\ndescription, if those controls were complied with satisfactorily and user organizations\napplied those aspects of internal control contemplated in the design of the controls at\nDFAS and DISA; and (3) such controls had been placed in operation as of September 10,\n2004.\n\nThe control objectives were specified by the Office of Inspector General of the\nDepartment of Defense (IG DoD). Our examination was performed in accordance with\nstandards established by the American Institute of Certified Public Accountants and the\nstandards applicable to financial audits contained in Government Auditing Standards\nissued by the Comptroller General of the United States, and included those procedures we\nconsidered necessary in the circumstances to obtain a reasonable basis for rendering our\nopinion.\n\nThe accompanying description includes only those application control objectives and\nrelated controls resident at the Charleston, SC, Pensacola, FL, and Denver, CO payroll\noffices and does not include application control objectives and related controls at the\nNational Security Agency (NSA) payroll office. In addition, DCPS interfaces with over\n50 DoD and external systems that either receive data from DCPS or transmit data to\nDCPS. Examples of these interfaces include the Defense Civilian Personnel Data\nSystem, Automated Time and Attendance and Production System, Automated Disbursing\nSystem, and Defense Joint Accounting System which perform personnel, timekeeping,\ndisbursement, and payroll accounting functions. The accompanying description includes\nonly the control objectives and related general and application controls resident at the\nCharleston, SC, Pensacola, FL, and Denver, CO payroll offices and related to the DCPS\nsystems itself and does not include control objectives and related general and application\ncontrols resident at the NSA payroll office and related to the systems that interface with\nDCPS. Our examination did not extend to the controls resident at the NSA payroll office\nand related to the systems that interface with DCPS.\n\nOur examination was conducted for the purpose of forming an opinion on the description\nof the DCPS general and application controls at DFAS and DISA (Section II).\nInformation about business continuity plans and procedures at DFAS and DISA, as\n\n                                             3\n\x0cprovided by those organizations and included in Section IV, is presented to provide\nadditional information to user organizations and is not a part of the description of controls\nat DFAS and DISA. The information in Section IV has not been subjected to the\nprocedures applied in the examination of the aforementioned description of the controls\nat DFAS and DISA related to their business continuity plans and procedures and,\naccordingly, we express no opinion on the description of the business continuity plans\nand procedures provided by DFAS and DISA.\n\nIn our opinion, the accompanying description of the general computer and application\ncontrols at DFAS and DISA related to DCPS (Section II) presents fairly, in all material\nrespects, the relevant aspects of the controls at DFAS and DISA that had been placed in\noperation as of September 10, 2004. Also, in our opinion, the controls, as described, are\nsuitably designed to provide reasonable assurance that the specified control objectives\nwould be achieved if the described controls were complied with satisfactorily and users\napplied those aspects of internal control contemplated in the design of the controls at\nDFAS and DISA.\n\nIn addition to the procedures that we considered necessary to render our opinion as\nexpressed in the previous paragraph, we applied tests to specified controls, listed in\nSection III, to obtain evidence about their effectiveness in meeting the related control\nobjectives described in Section III, during the period from March 1, 2004 to September\n10, 2004. The specific control objectives; controls; and the nature, timing, extent, and\nresults of the tests are listed in Section III. This information has been provided to DCPS\xe2\x80\x99\nuser organizations and to their auditors to be taken into consideration, along with\ninformation about the user organizations\xe2\x80\x99 internal control environments, when making\nassessments of control risk for such user organizations.\n\nAs discussed in the accompanying description, a number of controls in place to ensure\ncompliance with DoD information assurance policies, including DoDI 8500.2 and\nDITSCAP, appear to be suitably designed, but our tests of operating effectiveness\nindicated inconsistencies in adherence to these policies. Specifically, we noted the\nfollowing:\n\n   \xe2\x80\xa2   SDCA-1: Risk assessment activities performed at DECC-ME are not in full\n       compliance with DoD 8510.1-M. Although a DITSCAP review had been\n       completed, it had not been updated to reflect recent changes in the DITSCAP\n       guidance. In addition, SRR reviews are regularly performed that should detect\n       items not compliant with DISA standards.\n\n   \xe2\x80\xa2   SDCA-1: Annual information assurance reviews as required by DoD 8510.1-M\n       were not performed at TSOPE. However, DCPS is audited each year by various\n       entities.\n\n   \xe2\x80\xa2   SDCA-3: Extraneous communications services not covered by DISA STIGs are\n       operating on all three logical partitions. While these extraneous services do not\n       appear to pose significant risk to DCPS data, DoD information assurance policy\n       states that for enclaves and AIS application, all DoD security configuration or\n       implementation guides should be applied.\n\n   \xe2\x80\xa2   SDCI-4: Several undocumented interfaces that are not covered by DISA STIGs\n       were observed communicating with DCPS. While these interfaces do not appear\n       to pose significant risk to DCPS data, DoD information assurance policy states\n       that for enclaves and AIS application, all DoD security configuration or\n       implementation guides should be applied.\n\n                                             4\n\x0cAs a result, the controls objectives SDCA-1, SDCA-3, and SDCI-4 may not have been\nachieved during the period from March I, 2004 and September 1O,2004.\nIn our opinion, except for the deficiencies in operating effectiveness noted in the\npreceding paragraph, the controls that were tested, as described in Section III, were\noperating with sufficient effectiveness to provide reasonable, but not absolute, assurance\nthat the control objectives specified in Section III were achieved during the period from\nMarch I, 2004 to September 10, 2004. However, the scope of our engagement did not\ninclude tests to determine whether control objectives not listed in Section III were\nachieved; accordingly, we express no opinion on the achievement of control objectives\nnot included in Section TII.\nThe relative effectiveness and significance of specific controls at DFAS and DISA and\ntheir effect on assessments of control risk at user organizations are dependent on their\ninteraction with the internal control environment and other factors present at individual\nuser organizations. We have perfonned no procedures to evaluate the effectiveness of\ninternal controls placed in operation at individual user organizations.\nThe description of the controls at DFAS and DISA is as of September 10,2004, and\ninformation about tests of their operating effectiveness covers the period from March 1,\n2004 to September 1O,2004. Any projection of such information to the future is subject\nto the risk that, because of change, the description may no longer portray the system in\nexistence. The potential effectiveness of specific controls at DFAS and DISA is subject\nto inherent limitations and, accordingly, errors or fraud may occur and not be detected.\nFurthermore, the projeetion of any conclusions, based on our findings, to future periods is\nsubject to the risk that (1) changes made to the system or controls, (2) changes in\nprocessing requirements, or (3) changes required because of the passage of time may aJter\nthe validity of such conclusions.\nThis report is intended solely for use by management ofDCPS, its user organizations,\nand the independent auditors of such user organization.\n                               By direction of the Deputy Inspector General for Auditing:\n\n\n\n\n                                 ~~=\n                               Assistant Inspector General\n                               Defense Financial Auditing\n                                         Service\n\n\n\n\n                                             5\n\x0c6\n\x0cSection II: Description of DCPS Operations and Controls\n              Provided by DFAS and DISA\n\n\n\n\n                           7\n\x0c8\n\x0cII. Description of DCPS Operations and Controls Provided by\n      DFAS and DISA\n   A. Overview of DCPS\n   Purpose of DCPS\n\n   In 1991, the Department of Defense (DoD) selected the Defense Civilian Pay\n   System (DCPS) to serve as its standard payroll system for use by all DoD activities\n   paying civilian employees, except Local Nationals and those funded by Non-\n   appropriated Funds and Civilian Mariners. The DCPS program mission is to\n   process payroll for the DoD civilian employees in accordance with existing\n   regulatory, statutory, and financial information requirements relating to civilian pay\n   entitlement and applicable policies and procedures. Beginning in 2003 and as part\n   of the President\xe2\x80\x99s Management Agenda e-Payroll initiative, DFAS began\n   processing payroll for Department of Energy (DOE) employees and was selected as\n   one of four federal payroll providers to serve the entire executive branch of the\n   Federal government. DFAS also processes payroll for the Executive Office of the\n   President.\n\n   The DoD civilian pay program, including the payroll processing performed for DoD\n   customers like DOE, must satisfy the complex and extensive functional, technical\n   and interface requirements associated with the DoD civilian pay function. The\n   functional areas include employee data maintenance, time and attendance, leave,\n   pay processing, deductions, retirement processing, debt collection, special actions,\n   disbursing and collection, reports processing and reconciliation, and record\n   maintenance and retention. DCPS provides standard interface support to the\n   various accounting, financial and personnel systems.\n\n   DCPS Support Functions\n\n   The Defense Finance and Accounting Service - Headquarters (DFAS-HQ) provides\n   management control and coordination within DoD and has overall responsibility for\n   interpretation and application of DCPS. The system is maintained and executed on\n   the Defense Information Systems Agency (DISA) mainframe platforms at the\n   Defense Enterprise Computing Center, Mechanicsburg (DECC-ME). The\n   Technology Services Organization in Pensacola, Florida (TSOPE), which is part of\n   DFAS, provides DCPS application support.\n\n   DCPS Systems Architecture\n\n   DCPS has a two-tiered architecture comprised of the following:\n        \xe2\x80\xa2   Mainframe hardware and software components - used as a repository for\n            the collection and accumulation of data, and to provide centralized,\n            biweekly processing of civilian pay and its attendant functions (e.g.,\n            electronic funds transfer, generation of leave and earnings statements,\n            etc.).\n\n\n\n\n                                          9\n\x0c     \xe2\x80\xa2   Remote user/print spooler hardware and software - used to collect and/or\n         pre-process data at customer sites, provide connectivity to DCPS\n         mainframe components, and support printing of mainframe generated\n         outputs (e.g., reports, timesheets) at customer locations. These\n         components are largely customer-owned and operated, and include\n         personal computers, local area networks (LANs), a diverse assortment of\n         printers, and the software that operates and connects them. A limited\n         number of mid-tier (minicomputer) systems have been fielded by the\n         Defense Finance and Accounting Service (DFAS) at selected DFAS sites\n         to handle specialized printing requirements (e.g., paychecks). Other\n         offloaded print services, such as bulk printing for DCPS payroll offices\n         and printing of Leave and Earnings Statements (LES), are performed on\n         PC/workstation hardware maintained by the Defense Automated Printing\n         Service (DAPS) at DAPS sites located in various U.S. and overseas\n         geographical regions.\n\nThe two tiers of the DCPS architecture are connected via DoD-maintained networks\ncomprised of Internet Protocol (IP)-based (e.g., Non-Classified Internet Protocol\nRouter Network (NIPRNET)) and Systems Network Architecture (SNA)-based\n(leased line) services. These networks connect DCPS to a wide variety of external,\nnon-DCPS sites (mainframes, mid-tiers, and PCs) that supply or exchange data with\nDCPS on a regular basis, mainly through electronic file transfers. Examples of\nexternal interface sites include the Defense Civilian Personnel Data System, Federal\nReserve, Thrift Savings Plan, Department of Treasury, and non-DoD users such as\nthe Department of Energy and Executive Office of the President.\n\nThe main technical components of DCPS include the following attributes:\n\n     \xe2\x80\xa2   DCPS is housed in a separate logical domain on an Amdahl 2045C\n         mainframe computer located at DISA DECC-ME;\n     \xe2\x80\xa2   The Amdahl operating system software is OS/390 release 2.8.0;\n     \xe2\x80\xa2   DCPS is written in COBOL II language;\n     \xe2\x80\xa2   First point of entry security protection mechanisms are provided by\n         Access Control Facility 2 (ACF2) for OS/390;\n     \xe2\x80\xa2   DECC-ME provides four web servers that service all applications that\n         support DCPS. These servers accept the users\xe2\x80\x99 secure web requests by\n         supplying a menu screen with options for each application to the DCPS\n         LOGON SCREEN, where individuals enter their ACF2 login user IDs and\n         passwords; and\n     \xe2\x80\xa2   Several third-party software packages are used for services associated with\n         DCPS (e.g., process scheduling and monitoring).\n\nOverview of Payroll Offices\n\nFour payroll offices located in Charleston, SC; Denver, CO; Pensacola, FL; and at\nthe National Security Agency (NSA), Fort Meade support the processing of all\npayroll transactions. The Customer Service Representatives (CSR) at each payroll\noffice have access to the appropriate host system via dedicated leased lines and\nvarious DoD networks.\n\n\n\n                                      10\n\x0cThe payroll offices are structured in accordance with DFAS standard staffing policy\nand conduct business using standard operating and support procedures. They\nprovide payroll service to customers located in various time zones and are\nresponsible for the full range of pay processing functions and services that mainly\ninclude supporting and maintaining payroll transactions and resolution of issues and\nerrors. The Charleston payroll office supports DoE payroll recipients and the\nPensacola payroll office supports the Executive Office of the President payroll\nrecipients.\n\n\n\nOverview of System Interfaces\n\nDCPS is a combination of on-line and batch programs that support the requirements\nof a bi-weekly, semimonthly, and in the case of the Executive Office of the\nPresident, monthly payroll. Transactions to update employee data, adjust leave\nbalances, adjust payments for prior periods, and report time and attendance may be\ninput daily to spread the online workload and to obtain labor data.\n\nDCPS takes input from three main areas: CSRs located at the payroll offices;\ntimekeepers; and personnel offices located throughout the DoD organization. As a\nresult of this input and the output to external systems, DCPS receives or creates\nover 50 interface files that, among other functions, do the following:\n       \xe2\x80\xa2 Update personnel information;\n       \xe2\x80\xa2 Upload time and attendance data;\n       \xe2\x80\xa2 Download information for checks to be printed;\n       \xe2\x80\xa2 Report accounting information to the U.S. Treasury;\n       \xe2\x80\xa2 Reconcile enrollment information with health care providers; and\n       \xe2\x80\xa2 Download general accounting information to DoD agencies.\nAutomatic electronic file transfers directly to and from the host mainframe\ncomputer are used for most input and output file interfaces. Output files are\nautomatically transferred to sites/activities using common file transfer protocols.\nCSRs must provide File Transfer Table data to TSOPE for table updates. For files\nnot automatically transferred, it is the activity\xe2\x80\x99s responsibility to access the host\ncomputer to retrieve their output file(s) from the host. It is the responsibility of the\nactivity creating an input interface file for DCPS to deliver it, by whatever means is\navailable, to the payroll office or the processing center supporting the payroll office.\nA mutually agreeable schedule between the payroll activity and the submitting\nactivity is established to help ensure timely receipt of data to support DCPS payroll\nprocessing.\nBeginning in 2003, and as part of the President\xe2\x80\x99s Management Agenda e-Payroll\ninitiative, DFAS began processing payroll for Department of Energy (DOE)\nemployees and was selected as one of four federal payroll providers to service the\nentire executive branch of the Federal government. The migration of additional\nExecutive Branch customers to DFAS is scheduled to be completed by September\n2004. Through the consolidation process, efforts have been made to standardize\npayroll processing and delivery, which will drive additional interfaces and\nfunctionality.\n\n\n\n                                       11\n\x0cB.   Control Environment\nDCPS Management Oversight\n\nDFAS-HQ provides management control and coordination within the DoD and has\noverall responsibility for the DCPS system. DFAS-HQ is responsible for reviewing\nand maintaining the overall DCPS security policy. The TSOPE in Pensacola, FL, a\nunit of DFAS, provides DCPS software engineering, production support, and\ncustomer service. The TSOPE reports to the Civilian Pay Services business line at\nDFAS-HQ. The DCPS system is maintained and executed on DISA mainframe\nplatforms at DECC-ME. DECC-ME is part of the Center for Computing Services\nwithin the Global Information Grid Combat Support Directorate, which is a\nStrategic Business Unit within DISA. DISA and DFAS are Defense Agencies that\nreport to the Office of the Secretary of Defense. The support services provided by\nDISA to DCPS are documented in a signed service level agreement between DISA\nand DFAS. The service level agreement is reviewed and updated by both agencies\non an annual basis. Both DFAS and DISA have documented policies and\nprocedures for their respective functions.\n\n\nPersonnel Policies and Procedures\n\nDFAS Payroll Offices and TSOPE\n\nPayroll office employees and contractors are required to review applicable\nadministrative orders, policies, and procedures with the Human Resource Office\nand must complete appropriate forms to gain access to DFAS systems. New\nemployees must meet with the Information Security (IS) Manager. The IS Manager\nis responsible for: (1) providing basic systems security awareness training (2)\nsecuring civilians\xe2\x80\x99 and contractors\xe2\x80\x99 signature on an ADP Security Awareness\ndisclosure, (3) identifying to the employee who their Terminal Area Security\nOfficer (TASO) is and what the TASO\xe2\x80\x99s responsibilities are, and (4) notifying\nappropriate personnel to provide access or to immediately terminate employee\nand/or contractor access to DFAS automated information system (AIS) resources\nwhen an employee and/or contractor are processing-in or processing-out. The\npayroll offices and TSOPE facilities do not require any specific level of prior\nsecurity clearance before a candidate can become an employee.\n\nDISA DECC-ME\n\nThe Security Manager is responsible for the processing and vetting of new\nemployees and contractors who are given access to DISA facilities in\nMechanicsburg. All contractors and employees are required, at a minimum, to have\na secret clearance and a positive National Agency Check (NAC). For employees,\nthe Security Manager coordinates with the Personnel office and for contractors, the\nSecurity Manager coordinates with the contracting officer. The contracting officer\nis responsible for confirming that all contractors are assigned to a valid contract that\nhas been approved to operate at DISA DECC-ME.\n\nAll new employees are required to sign DISA Form 312, which serves as a\nnondisclosure agreement for sensitive and classified information. When employees\nare terminated, they will sign the same Form 312 to confirm that they still\nunderstand the requirements put upon them. For new employees and contractors to\n\n\n                                       12\n\x0cgain access to DISA systems, they are required to complete DISA Form 2875. The\nSecurity Manager is responsible for vetting these forms and confirming that the\nperson requesting access has the proper clearance for the level of access requested.\nFor contractors, the security manager confirms the length of the contract and\ndetermines when system accounts should expire. All new employees and\ncontractors must complete security awareness training.\n\nC. Monitoring\nManagement and supervisory personnel at DFAS and DISA monitor the\nperformance quality and internal control environment as a normal part of their\nactivities. DFAS and DISA have implemented a number of management, financial,\nand operational reports that help monitor the performance of payroll processing as\nwell as the DCPS system itself. These reports are reviewed periodically and action\nis taken as necessary. All procedural problems and exceptions to normal or\nscheduled processing through hardware or software are logged, reported, and\nresolved in a timely manner, and action is taken as necessary.\n\nIn addition, several organizations within DoD perform monitoring associated with\nDCPS-related internal controls. These functions include:\n\nDISA Office of the Inspector General and Field Security Office\n\nDISA has its own Office of the Inspector General, which is an independent office\nwithin DISA that conducts internal audits, inspections, and investigations. The\nDISA-related components that support DCPS are part of the DISA Office of the\nInspector General audit universe and are subject to audits, inspections, and\ninvestigations conducted by this office.\n\nIn addition, DISA also has a Field Security Operations (FSO) unit that performs\nperiodic reviews of DISA systems to determine whether those systems are in\ncompliance with DISA\xe2\x80\x99s documented security standards. The DCPS system\ncomponents that are maintained by DISA are subject to these FSO reviews. The\nFSO is independent of the DECC-ME management structure and does not maintain\nor configure DCPS systems.\n\nDITSCAP Certification and Accreditation\n\nDoD Instruction 5200.40, \xe2\x80\x9cDepartment of Defense Information Technology\nSecurity Certification and Accreditation Process\xe2\x80\x9d (DITSCAP), establishes a\nstandard Department-wide process, set of activities, general tasks, and management\nstructure to certify and accredit information systems that will maintain the\ninformation assurance and security posture of the defense information infrastructure\nthroughout the life cycle of each system. The certification process is a\ncomprehensive evaluation of the technical and nontechnical security features of an\ninformation system and other safeguards to establish the extent to which a particular\ndesign and implementation meets specified security requirements and covers\nphysical, personnel, administrative, information, information systems, and\ncommunications security. The accreditation process is a formal declaration by the\ndesignated approving authority that an information system is approved to operate in\na particular security mode using a prescribed set of safeguards at an acceptable level\nof risk.\n\n\n\n                                      13\n\x0cDCPS is subject to the requirements of DITSCAP and must meet all of the\nDITSCAP certification and accreditation requirements throughout its life cycle. As\npart of the DCPS DITSCAP process, separate System Security Authorization\nAgreements (SSAAs) have been prepared for the DCPS application itself and for\nthe system enclave within DISA that supports the application. Each SSAA is a\nliving document that represents an agreement between the designated approving\nauthority, certifying authority, user representative, and program manager. Among\nother items, the DCPS SSAA documents DCPS\xe2\x80\x99 mission description and system\nidentification, environment description, system architecture description, system\nclass, system security requirements, organizations and resources, and DITSCAP\nplan. On a periodic basis, the system security officer must verify and validate\nDCPS\xe2\x80\x99 compliance with the information in the SSAA. These verification and\nvalidation procedures include, among other steps, vulnerability evaluations, security\ntesting and evaluation, penetration testing, and risk management reviews.\n\nOffice of the Inspector General, Department of Defense\n\nThe Office of the Inspector General (OIG), Department of Defense was established\nby Congress to conduct and supervise audits and investigations related to the\nprograms and operations of the DoD. The OIG reports directly to the Secretary of\nDefense and is independent of DFAS and DISA. DCPS, as well as the payroll\nprocesses it supports, is part of the OIG audit universe and is subject to financial,\noperational, and information technology audits, reviews, and special assessment\nprojects.\n\nD. Risk Assessment\nThe DITSCAP process, discussed in subsection C above, includes several activities\nthat document and assess risks associated with DCPS. The DCPS application and\nenclave SSAAs, which are a product of the DITSCAP process, also document\nthreats to DCPS and its supporting technical environment. The SSAAs also contain\nResidual Risk Assessments that document vulnerabilities noted during DCPS tests\nand analyses. The information contained in the SSAAs is updated on a periodic\nbasis. Personnel from DFAS TSOPE and DISA DECC-ME participate in these risk\nassessment activities.\nE.   Information and Communication\nInformation Systems\nDCPS is the information system used to process civilian payroll for DoD and its\npayroll customers, such as DOE. The processing of payroll involves over 50\ndifferent interfaces with DCPS. These interfaces are linked to other DoD financial\nsystems as well as external systems. The majority of the interfaces are automated.\nAll automated interfaces must conform to documented interface specifications\ndeveloped by the TSOPE, who is responsible for executing and monitoring the\nautomated interfaces.\n\nCommunication\n\nThe support relationship between DFAS and DISA DECC-ME is documented\nthrough a service level agreement that is reviewed and updated annually. The\nservice level agreement outlines various DFAS and DISA DECC-ME points of\ncontact and liaisons that should be used when DCPS issues arise. DISA DECC-\n\n\n                                      14\n\x0cME also assigns a customer relationship manager to work with DFAS TSOPE to\nresolve any DCPS processing problems or concerns.\nWithin DFAS, the TSOPE and payroll offices have a weekly meeting between the\nDirectors and Managers of both organizations to discuss DCPS processing issues.\nThere is also a Configuration Control Board, comprised of TSOPE and Payroll\nOffice personnel, to review and approve functional and systemic changes to DCPS.\nThe payroll offices also have a help desk function to identify and track user issues\nand problems with DCPS and communicate those issues and problems to the\nTSOPE for resolution.\n\nF.   Control Activities\nThe DCPS control objectives and related control activities are included in Section\nIII of this report, "Information Provided by the Service Auditor," to eliminate the\nredundancy that would result from listing them in this section and repeating them in\nSection III. Although the control objectives and related controls are included in\nSection III, they are, nevertheless, an integral part of the description of controls.\n\nG. User Organization Control Considerations\nThe control activities at DFAS and DISA related to DCPS were designed with the\nassumption that certain controls would be placed in operation at user organizations.\nThis section describes some of the controls that should be in operation at user\norganizations to complement the controls at DFAS and DISA.\n\nUser organizations should have policies and procedures in place to ensure that:\n\n     \xe2\x80\xa2   the Information Systems Security Officer located at the payroll offices is\n         notified of all terminated employees that are users of DCPS.\n\n     \xe2\x80\xa2   their local Human Resource Office is notified of all terminated employees,\n         so that such employees are removed from the Master Employee Record in\n         a timely manner.\n     \xe2\x80\xa2   all time entered by timekeepers is approved and authorized by appropriate\n         user organization management.\n     \xe2\x80\xa2   all Master Employee Records created represent valid employees.\n\n     \xe2\x80\xa2   all changes to the Master Employee Record are approved by appropriate\n         user organization personnel prior to payroll processing.\n\n     \xe2\x80\xa2   segregation of duties exists between those at the user organization who\n         enter time and those who enter or change Master Employee Records.\n\n     \xe2\x80\xa2   if a pseudo Social Security Number (SSN) is created, the pseudo SSN has\n         been authorized by appropriate user organization personnel and, if\n         necessary, is accurately tied to a primary and valid SSN.\n\n     \xe2\x80\xa2   user organization managers review the \xe2\x80\x9cControl of Hours\xe2\x80\x9d and other\n         payroll-related reports for appropriateness and accuracy.\n\n\n\n                                      15\n\x0c\xe2\x80\xa2   all invalid interface feeds for time entry are reviewed and handled\n    appropriately by appropriate user organization personnel and all invalid\n    interface feeds for personnel records are resolved in the interface system\n    by user organization personnel with appropriate approval by user\n    organization management.\n\n\n\n\n                                 16\n\x0cSection III: Control Objectives, Control Activities, and Tests of\n                    Operating Effectiveness\n\n\n\n\n                               17\n\x0c18\n\x0cIII. Control Objectives, Controls and Test of Operating\n      Effectiveness\n   A. Scope Limitations\n   The control objectives documented in this section were specified by the Office of\n   the Inspector General, Department of Defense. As described in the prior section\n   (Section II), DCPS interfaces with many systems. The controls described and\n   tested within this section of the report are limited to those computer systems,\n   operations, and processes directly related to DCPS itself. The controls related to the\n   source and destination systems associated with the DCPS interfaces are specifically\n   excluded from this review. We did not perform procedures to evaluate the\n   effectiveness of the input, processing, and output controls within these interface\n   systems, although we did perform procedures to evaluate DCPS interface input and\n   output controls. We did not perform any procedures to evaluate the integrity and\n   accuracy of the data contained in DCPS.\n\n   B. Control Deficiencies\n   As a result of testing procedures described in the following matrix, operating\n   effectiveness deficiencies were identified with certain control activities. In each\n   instance where operating effectiveness deficiencies were identified, the audit team\n   was able to identify and test additional controls that allowed the control objective to\n   be achieved. These compensating controls and/or circumstances are documented\n   with the description of the operating effectiveness deficiency in the following\n   matrix.\n\n   In addition, the audit team identified certain compliance exceptions with DoD\n   Information Assurance standards. These exceptions have been reported to DFAS\n   and DISA management in a separate management report, but are not included\n   herein as these exceptions do not adversely impact the achievement of the control\n   objectives included in this Service Auditor\xe2\x80\x99s Report.\n\n\n\n\n                                          19\n\x0c      C.          Control Objectives, Control Activities, and Tests of Operating Effectiveness\n\nAccountability (AU)\n\nControl Objective AU-1                   Control Activity                           Test of Controls                         Test Results\nAudit Record Content - Audit             Audit records contain the following        Scanned identified audit logs for the    No Relevant Exceptions Noted\nrecords include:                         information:                               presence of:\n\xe2\x80\xa2 User ID;                               \xe2\x80\xa2    User ID;                              \xe2\x80\xa2    User ID;\n\xe2\x80\xa2 Successful and unsuccessful            \xe2\x80\xa2    Successful and unsuccessful           \xe2\x80\xa2    Successful and unsuccessful\n    attempts to access security files;        attempts to access security files;         attempts to access security files\n\xe2\x80\xa2 Date and time of the event. Type       \xe2\x80\xa2    Date and time of the event.           \xe2\x80\xa2    Date and time of the event.\n    of event;                                 Type of event;                             Type of event;\n\xe2\x80\xa2 Success or failure of event.           \xe2\x80\xa2    Success or failure of event.          \xe2\x80\xa2    Success or failure of event.\n\xe2\x80\xa2 Successful and unsuccessful            \xe2\x80\xa2    Successful and unsuccessful           \xe2\x80\xa2    Successful and unsuccessful\n    logons;                                   logons;                                    logons;\n\xe2\x80\xa2 Denial of access resulting from        \xe2\x80\xa2    Denial of access resulting from       \xe2\x80\xa2    Denial of access resulting from\n    excessive number of logon                 excessive number of logon                  excessive number of logon\n    attempts;                                 attempts;                                  attempts;\n\xe2\x80\xa2 Blocking or blacklisting a user        \xe2\x80\xa2    Blocking or blacklisting a user       \xe2\x80\xa2    Blocking or blacklisting a user\n    ID, terminal or access port, and          ID, terminal or access port, and           ID, terminal or access port, and\n    the reason for the action;                the reason for the action;                 the reason for the action;\n\xe2\x80\xa2 Activities that might modify,          \xe2\x80\xa2    Activities that might modify,         \xe2\x80\xa2    Activities that might modify,\n    bypass, or negate safeguards              bypass, or negate safeguards               bypass, or negate safeguards\n    controlled by the system.                 controlled by the system.                  controlled by the system.\n\n\n\n\n                                                                                   20\n\x0cControl Objective AU-2                   Control Activity                         Test of Controls                         Test Results\nAudit Trail, Monitoring, Analysis        DISA and DFAS policies specify the       Observed the operation of the system,    No Relevant Exceptions Noted\nand Reporting - An automated,            necessary procedures. The Service        including the most recent alerts.\ncontinuous on-line monitoring and        Level Agreement places the specific      Interviewed the personnel monitoring\naudit trail creation capability is       responsibility for the performance of    the system to determine their\ndeployed with the capability to          the monitoring of various logs among     knowledge of the procedures.\nimmediately alert personnel of any       both DISA and DFAS                       Scanned manually maintained logs\nunusual or inappropriate activity with                                            and records to determine that the\npotential IA implications, and with a                                             appropriate audit functions are being\nuser configurable capability to                                                   performed.\nautomatically disable the system if\nserious IA violations are detected.\n\nControl Objective AU-3                   Control Activity                         Test of Controls                         Test Results\nAudit Trail Protection - The             DISA and DFAS policies specify the       Scanned the DISA and DFAS security       No Relevant Exceptions Noted\ncontents of audit trails are protected   necessary procedures. The Service        policies to confirm that they require\nagainst unauthorized access,             Level Agreement places the specific      adequate protection to the DCPS and\nmodification or deletion.                responsibility for the performance of    operating system audit trails.\n                                         the monitoring of various logs among     Inspected the list of personnel with\n                                         both DISA and DFAS                       access to change the audit trail\n                                                                                  configuration. Observed the process\n                                                                                  for changing access to the audit trail\n                                                                                  information.\n\n\n\n\n                                                                                 21\n\x0cMaster Files and Tables Accuracy (MFTA)\n\nControl Objective MFTA \xe2\x80\x93 1              Control Activity                         Test of Controls                          Test Results\nControls provide reasonable assurance   Payroll master file and withholding      Confirmed through corroborative           No Relevant Exceptions Noted\nthat only valid and accurate changes    data tables are periodically reviewed    inquiry with the appropriate payroll\nare made to the payroll master files,   for accuracy and ongoing pertinence      office management and functional\npayroll withholding tables and other                                             users, that Payroll master file and\ncritical system components; these                                                withholding data tables are\nchanges are input and processed                                                  periodically reviewed for accuracy\ntimely.                                                                          and ongoing pertinence.\n.\n                                                                                 Scanned policies and procedures to        No Relevant Exceptions Noted\n                                                                                 determine whether such policies\n                                                                                 require that the master files and\n                                                                                 withholding tables be periodically\n                                                                                 reviewed.\n                                                                                 Scanned Online Line Query (OLQs)          No Relevant Exceptions Noted\n                                                                                 and reports to determine that master\n                                                                                 files and withholding tables are\n                                                                                 periodically reviewed.\n1.2                                     Departmental managers periodically       Confirmed through corroborative           No Relevant Exceptions Noted\n                                        review listings of current employees     inquiry with appropriate payroll\n                                        within their departments and notify      office management and functional\n                                        the personnel department of changes.     users, that Departmental managers\n                                                                                 periodically review listings of current\n                                                                                 employees within their departments\n                                                                                 and notify the personnel department\n                                                                                 of changes.\n                                                                                 Scanned policies and procedures to        No Relevant Exceptions Noted\n                                                                                 determine whether such policies\n                                                                                 require managers to periodically\n                                                                                 review employee listings and notify\n                                                                                 personnel departments of any\n                                                                                 changes.\n\n\n\n                                                                                22\n\x0c                                               Scanned control of hours report noted     No Relevant Exceptions Noted\n                                               they are sent to management for\n                                               review of employee listings and\n                                               notification to personnel departments\n                                               of necessary changes.\n1.3   Requests to change the payroll           Confirmed through corroborative           No Relevant Exceptions Noted\n      master file and withholding table data   inquiry with the appropriate payroll\n      are logged; the log is reviewed to       office management and functional\n      ensure that all requested changes are    users that the changes to the payroll\n      processed timely.                        master file and withholding table data\n                                               are logged and the log is reviewed to\n                                               ensure that the requested changes are\n                                               acceptable.\n                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                               determine whether it is required for\n                                               changes to the payroll master file and\n                                               withholding table data to be logged\n                                               and the log is reviewed to ensure that\n                                               the requested changes are acceptable.\n                                               Scanned log of changes to payroll         No Relevant Exceptions Noted\n                                               master file and withholding table to\n                                               confirm change details are logged.\n1.4   Changes to the payroll withholding       Confirmed through corroborative           No Relevant Exceptions Noted\n      tables and master files are compared     inquiry appropriate TSO office\n      to authorized source documents to        management and functional users tax\n      ensure that they were input              changes to the payroll withholding\n      accurately.                              tables and master files are compared\n                                               to source documents to ensure that\n                                               the changes were tested and\n                                               approved.\n                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                               determine whether such procedures\n                                               require that tax changes to the payroll\n                                               withholding tables and master files\n                                               are to be compared to source\n\n\n\n                                             23\n\x0c                                               documents to ensure that they were\n                                               tested and approved\n                                               Observed the process of tax changes     No Relevant Exceptions Noted\n                                               to the payroll withholding tables and\n                                               master files being compared to\n                                               authorized source documents to\n                                               ensure that they were tested and\n                                               approved.\n1.5   Requests to change the payroll           Confirmed through corroborative         No Relevant Exceptions Noted\n      master file data and withholding table   inquiry with the appropriate payroll\n      are submitted on prenumbered forms;      office management and functional\n      the numerical sequence of such forms     users to confirm:\n      is accounted for to ensure that the      \xe2\x80\xa2     Requests to change the payroll\n      requested changes are processed               master file data and withholding\n      timely. Access to source documents            table are submitted on pre-\n      is controlled; Key source documents           numbered forms;\n      require signatures                       \xe2\x80\xa2 The numerical sequence of such\n                                                    forms is accounted for to ensure\n                                                    that the requested changes are\n                                                    processed timely;\n                                               \xe2\x80\xa2 Access to source documents is\n                                                    controlled;\n                                               \xe2\x80\xa2 Key source documents require\n                                                    signatures.\n\n                                               Scanned policies and procedures to      No Relevant Exceptions Noted\n                                               determine whether the procedures\n                                               exist to ensure:\n                                               \xe2\x80\xa2     Requests to change the payroll\n                                                    master file data and withholding\n                                                    table are submitted on pre-\n                                                    numbered forms;\n                                               \xe2\x80\xa2 The numerical sequence of such\n                                                    forms is accounted for to ensure\n                                                    that the requested changes are\n\n\n\n                                           24\n\x0c                                                    processed timely;\n                                                \xe2\x80\xa2   Access to source documents is\n                                                    controlled;\n                                                \xe2\x80\xa2   Key source documents require\n                                                    signatures.\n\n                                                Inspected haphazard sample of            No Relevant Exceptions Noted\n                                                Remedy Tickets to confirm the\n                                                requests:\n                                                \xe2\x80\xa2 Are prenumbered;\n                                                \xe2\x80\xa2 That the sequence is accounted\n                                                     for so that the forms are\n                                                     accounted for timely;\n                                                \xe2\x80\xa2 That access to the source\n                                                     documents is controlled;\n                                                \xe2\x80\xa2 That key source documents\n                                                     require signatures.\n1.6   The source document is well-              Confirmed through corroborative          No Relevant Exceptions Noted\n      designed to aid the preparer and          inquiry appropriate payroll office\n      facilitate data entry. Transaction type   management and functional users that\n      and data field codes are preprinted on    the source document is appropriately\n      the source document.                      designed to aid the preparer and\n                                                facilitate data entry; and transaction\n                                                type and data field codes are\n                                                preprinted on the source document.\n                                                Scanned policies and procedures to       No Relevant Exceptions Noted\n                                                determine whether such policies\n                                                require that the source documentation\n                                                is required to be appropriately\n                                                designed to aid the preparer and\n                                                facilitate data entry, and that\n                                                transaction type and data field codes\n                                                are preprinted on the source\n                                                document\n                                                Observed the scanning and faxing of      No Relevant Exceptions Noted\n\n\n\n                                            25\n\x0c                                               source documents to confirm it is\n                                               appropriately designed to aid the\n                                               preparer and facilitate data entry; and\n                                               transaction type and data field codes\n                                               are preprinted on the source\n                                               document\n1.7   The ability to view, modify, or          Confirmed through corroborative             No Relevant Exceptions Noted\n      transfer information contained in the    inquiry with the appropriate payroll\n      payroll master files is restricted to    office management and functional\n      authorized personnel.                    users that the ability to view, modify,\n                                               or transfer information contained in\n                                               the payroll master files is restricted to\n                                               authorized personnel.\n                                               Scanned policies and procedures             No Relevant Exceptions Noted.\n                                               determine whether the policies\n                                               require the ability to view, modify, or\n                                               transfer information contained in the\n                                               payroll master files are restricted to\n                                               authorized personnel.\n                                               Inspected haphazard sample of access        No relevant exceptions noted,\n                                               forms to confirm the master file is         however in performing our tests we\n                                               restricted to authorized personnel          noted that management had authorized\n                                                                                           a large number of personnel to use\n                                                                                           supervisor accounts. These numbers\n                                                                                           appear excessive given the access and\n                                                                                           responsibility these accounts maintain.\n                                                                                           In subsequent discussions with\n                                                                                           management, we noted these\n                                                                                           supervisor accounts are provided to\n                                                                                           authorized employees which DFAS\n                                                                                           feels need this level of access to\n                                                                                           perform their duties.\n\n\n\n\n                                              26\n\x0cControl Objective MFTA-2                 Control Activity                         Test of Controls                         Test Results\nControls provide reasonable assurance    Batch transactions without pre-          Confirmed through corroborative          No Relevant Exceptions Noted\nthat payroll-related data, including     assigned serial numbers are              inquiry with the appropriate payroll\ngross pay, employer contributions,       automatically assigned a unique          office management and functional\nemployee withholdings, taxes, leave,     sequence number, which is used by        users that batch transactions without\netc., is created or updated completely   the computer to monitor that all         pre-assigned serial numbers are\nand accurately. Data validation and      transactions are processed.              automatically assigned a unique\nediting are performed to identify                                                 sequence number, which is used by\nerroneous data. Erroneous data are                                                the computer to monitor that the\ncaptured, reported, investigated, and                                             transactions are processed.\ncorrected.\n                                                                                  Scanned policies and procedures to       No Relevant Exceptions Noted\n                                                                                  determine whether the policies\n                                                                                  require that the batch transactions\n                                                                                  without pre-assigned serial numbers\n                                                                                  are required to be automatically\n                                                                                  assigned a unique sequence number.\n                                                                                  Observed batch process monitoring        No Relevant Exceptions Noted\n                                                                                  and noted transactions without\n                                                                                  preassigned serial numbers are\n                                                                                  automatically assigned a unique\n                                                                                  sequence number.\n2.2                                      Sequence checking is used to identify    Confirmed through corroborative          No Relevant Exceptions Noted\n                                         missing or duplicate batch               inquiry with the appropriate TSO\n                                         transactions.                            office management and functional\n                                                                                  users that sequence checking is used\n                                                                                  to identify missing or duplicate batch\n                                                                                  transactions\n                                                                                  Scanned policies and procedures to       No Relevant Exceptions Noted\n                                                                                  determine whether the policies\n                                                                                  require that sequence checking is\n                                                                                  required to be used to identify\n                                                                                  missing or duplicate batch\n                                                                                  transactions.\n\n\n\n                                                                                 27\n\x0c                                                Observed the sequence checking to         No Relevant Exceptions Noted\n                                                confirm it is used to identify missing\n                                                or duplicate batch transactions.\n2.3   Reports of missing or duplicate           Confirmed through corroborative           No Relevant Exceptions Noted\n      transactions are produced, and items      inquiry with appropriate payroll\n      are investigated and resolved in a        office management and functional\n      timely manner.                            users that reports of missing or\n                                                duplicate transactions are produced,\n                                                and items are investigated and\n                                                resolved timely.\n                                                Scanned policies and procedures to        No Relevant Exceptions Noted\n                                                determine whether such policies\n                                                require that reports of missing or\n                                                duplicate transactions are required to\n                                                be produced, and items are be\n                                                investigated and resolved timely.\n                                                Scanned the Personnel Interface           Although testing confirmed that\n                                                Invalid report of missing or duplicate    reports are reviewed and worked on\n                                                transactions to confirm items are         daily basis, we noted that corrective\n                                                investigated and resolved timely.         actions are not sufficiently\n                                                                                          documented.\n2.4   The source document is well-              Confirmed through corroborative           No Relevant Exceptions Noted\n      designed to aid the preparer and          inquiry with appropriate payroll\n      facilitate data entry. Transaction type   office management and functional\n      and data field codes are preprinted on    users that the source document is\n      the source document.                      appropriately designed to aid the\n                                                preparer and facilitate data entry; and\n                                                transaction type and data field codes\n                                                are preprinted on the source\n                                                document.\n                                                Scanned policies and procedures to        No Relevant Exceptions Noted\n                                                determine whether such policies\n                                                require source documentation to be\n                                                appropriately designed to aid the\n                                                preparer and facilitate data entry, and\n\n\n\n                                             28\n\x0c                                               that transaction type and data field\n                                               codes are preprinted on the source\n                                               document.\n                                               Observed the scanning and faxing of       No Relevant Exceptions Noted\n                                               source document to confirm that it is\n                                               appropriately designed to aid the\n                                               preparer and facilitate data entry; and\n                                               transaction type and data field codes\n                                               are preprinted on the source\n                                               document.\n2.5   Payroll master file data and             Confirmed through corroborative           No Relevant Exceptions Noted\n      withholding table data are edited and    inquiry with appropriate payroll\n      validated; identified errors are         office management and functional\n      corrected promptly.                      users that the Payroll master file data\n                                               and withholding table data are edited\n                                               and validated; and identified errors\n                                               are corrected promptly.\n                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                               determine whether such policies\n                                               require the Payroll master file data\n                                               and withholding table data to be\n                                               edited and validated; and identified\n                                               errors are corrected promptly.\n                                               Scanned Personnel Interface Invalid       Although testing confirmed that\n                                               reports of missing or duplicate           reports are reviewed and worked on\n                                               transactions to confirm items are         daily basis, we noted that corrective\n                                               investigated and resolved timely.         actions are not sufficiently\n                                                                                         documented.\n2.6   Payroll withholding table data is        Confirmed through corroborative           No Relevant Exceptions Noted\n      periodically reviewed for compliance     inquiry with appropriate payroll\n      with statutory requirements.             office management and functional\n                                               users that exceptions, based on\n                                               parameters established by\n                                               management, are reported for their\n                                               review and approval.\n\n\n\n                                              29\n\x0c                                         Scanned policies and procedures to       No Relevant Exceptions Noted\n                                         determine whether such policies\n                                         require exceptions, based on\n                                         parameters established by\n                                         management, to be reported for their\n                                         review and approval.\n                                         Scanned tax updates from BSI to          No Relevant Exceptions Noted\n                                         confirm they are recalculated and\n                                         subject to the change control process.\n2.7   Exceptions, based on parameters    Confirmed through corroborative          No Relevant Exceptions Noted\n      established by management, are     inquiry with the appropriate payroll\n      reported for their review and      office management and functional\n      approval.                          users that exceptions, based on\n                                         parameters established by\n                                         management, are reported for their\n                                         review and approval.\n                                         Scanned policies and procedures to       No Relevant Exceptions Noted\n                                         determine whether such policies\n                                         require exceptions, based on\n                                         parameters established by\n                                         management, to be reported for their\n                                         review and approval.\n                                         Scanned haphazard sample of              No Relevant Exceptions Noted\n                                         exceptions on the L1OU and\n                                         Employees Exceeding Limitations\n                                         reports, based on parameters\n                                         established by management, to\n                                         confirm they are reported for their\n                                         review and approval.\n\n\n\n\n                                        30\n\x0c    Accurate Payroll Processing (APP)\n\nControl Objective APP-1                    Control Activity                        Test of Controls                          Test Results\nControls provide reasonable assurance      Compliance with the payroll             Confirmed through corroborative           No Relevant Exceptions Noted\nthat payroll processing is accurate and    disbursement processing schedule is     inquiry with appropriate payroll\nrecorded in the proper period. Payroll     monitored by management.                office management and functional\n(including compensation and                                                        users that compliance with the\nwithholding) is accurately calculated                                              payroll disbursement processing\nand recorded. Controls provide                                                     schedule is monitored by\nreasonable assurance that disbursed                                                management.\npayroll and related expense amounts\nare properly calculated. Controls\nprovide reasonable assurance that\nprior period, current, and future period\npay actions are based on effective\ndates\n                                                                                   Scanned policies and procedures and       Policies and procedures are not\n                                                                                   searched for a statement that             detailed with specific guidance\n                                                                                   compliance with the payroll               requiring that management monitor\n                                                                                   disbursement processing schedule are      disbursing schedules.\n                                                                                   monitored by management.\n\n.                                                                                  Inspected pay processing schedules        No relevant exceptions noted\n                                                                                   and observed payroll disbursement\n                                                                                   process and noted the monitoring of\n                                                                                   payroll disbursement processing\n                                                                                   schedule by management.\n1.2                                        The detailed payroll reconciliation     Confirmed through corroborative           No Relevant Exceptions Noted\n                                           shows pertinent data describing the     inquiry with the appropriate payroll\n                                           payroll (including total                office management and functional\n                                           disbursements,                          users that the detailed payroll\n                                           Retirement, TSP, Bonds, and other       reconciliation shows pertinent data\n                                           withholdings) and the related           describing the payroll (including total\n                                           balances are reconciled, in a timely    disbursements,\n\n\n\n                                                                                  31\n\x0cmanner, to corresponding general         Retirement, TSP, Bonds, and other\nledger accounts within DCPS. All         withholdings) and the related\nreconciling items are investigated and   balances are reconciled, in a timely\ncleared on a timely basis, prior to      manner, to corresponding general\ndisbursement                             ledger accounts within DCPS; and\n                                         reconciling items are investigated\n                                         and cleared prior to disbursement.\n                                         Scanned policies and procedures to        Policies and procedures are not\n                                         determine whether such policies           detailed with specific guidance\n                                         require the detailed payroll records      governing the reconciliation of and\n                                         show pertinent data describing the        corrective action for reconciliation\n                                         payroll (including total                  items. However, our testing confirms\n                                         compensation, related income taxes,       reconciling items are investigated and\n                                         and other withholdings) and the           cleared on a timely basis, prior to\n                                         related balances are reconciled, in a     disbursement\n                                         timely manner, to corresponding\n                                         general ledger accounts or entries by\n                                         persons who do not have unrestricted\n                                         access to cash; and reconciling items\n                                         to be investigated and cleared on a\n                                         timely basis.\n\n                                         Inspected a haphazard sample of           No Relevant Exceptions Noted\n                                         \xe2\x80\x9c592\xe2\x80\x9d reconciliations for each\n                                         database to confirm detailed payroll\n                                         reconciliation shows pertinent data\n                                         describing the payroll (including total\n                                         disbursements, Retirement, TSP,\n                                         Bonds, and other withholdings) and\n                                         the related balances are reconciled, in\n                                         a timely manner, to corresponding\n                                         general ledger accounts within\n                                         DCPS. Reconciling items are\n                                         investigated and cleared on a timely\n                                         basis, prior to disbursement\n\n\n\n                                     32\n\x0c1.3   Record count and control totals         Confirmed through corroborative        No Relevant Exceptions Noted\n      established over source documents       inquiry with appropriate TSO office\n      sent through the Imaging Center are     management and functional users,\n      used to help determine the              that record count and control totals\n      completeness of data entry and          established over source documents\n      processing.                             sent through the Imaging Center are\n                                              used to help determine the\n                                              completeness of data entry and\n                                              processing.\n                                              Scanned policies and procedures to     Policies and procedures are not\n                                              determine whether such policies        detailed with specific guidance\n                                              require record count and control       governing the control totals used at the\n                                              totals established over source         Imaging Center. However, our testing\n                                              documents sent through the Imaging     confirms control totals exist at the\n                                              Center to be used to help determine    Imaging Center.\n                                              the completeness of data entry and\n                                              processing.\n                                              Observed the imaging of documents      No Relevant Exceptions Noted\n                                              both manually scanned and faxed to\n                                              confirm a unique sequence number is\n                                              used to determine the completeness\n                                              of processing.\n\n1.4   For interfacing systems, record         Confirmed through corroborative        No Relevant Exceptions Noted\n      counts are accumulated and              inquiry with appropriate TSO office\n      compared to footer control totals to    management and functional users,\n      help determine the completeness of      that for interfacing systems, record\n      interface processing.                   counts are accumulated and\n                                              compared to footer control totals to\n                                              help determine the completeness of\n                                              interface processing.\n\n                                              Scanned policies and procedures to     No Relevant Exceptions Noted\n                                              determine whether such policies\n\n\n\n                                             33\n\x0c                                               require interfacing systems, record\n                                               counts to be accumulated and\n                                               compared to footer control totals to\n                                               help determine the completeness of\n                                               interface processing.\n                                               Scanned interface files to confirm      No Relevant Exceptions Noted\n                                               record counts match control totals in\n                                               the footer to determine completeness\n                                               of interface processing.\n1.5   Payroll transactions at, before, or      Confirmed through corroborative         No Relevant Exceptions Noted\n      after the end of an accounting period    inquiry with the appropriate payroll\n      are scrutinized and/or reconciled to     office management and functional\n      ensure complete and consistent           users that payroll transactions at,\n      recording in the appropriate             before, or after the end of an\n      accounting period.                       accounting period are scrutinized\n                                               and/or reconciled to ensure complete\n                                               and consistent recording in the\n                                               appropriate accounting period.\n\n                                               Scanned policies and procedures to      Policies and procedures are not\n                                               determine whether such policies         detailed with specific guidance\n                                               require payroll transactions at,        requiring \xe2\x80\x9c592\xe2\x80\x9d reconciliations be\n                                               before, or after the end of an          performed in the appropriate\n                                               accounting period to be scrutinized     accounting period. However, our\n                                               and/or reconciled to ensure complete    testing confirms reconciliations are\n                                               and consistent recording in the         performed in the appropriate\n                                               appropriate accounting period.          accounting period.\n                                               Inspected a haphazard sample of         No Relevant Exceptions Noted\n                                               \xe2\x80\x9c592\xe2\x80\x9d payroll reconciliations at,\n                                               before, or after the end of an\n                                               accounting period to confirm they are\n                                               scrutinized and/or reconciled to\n                                               ensure complete and consistent\n                                               recording in the appropriate\n                                               accounting period.\n\n\n\n                                              34\n\x0c1.6   Standard programmed algorithms    Confirmed through corroborative          No Relevant Exceptions Noted\n      perform significant payroll       inquiry with appropriate payroll\n      calculations.                     office management and functional\n                                        users that tax table updates based on\n                                        programmed algorithms are tested\n                                        and approved prior to\n                                        implementation.\n                                        Scanned policies and procedures to       No Relevant Exceptions Noted\n                                        determine whether such policies\n                                        require tax table updates based on\n                                        programmed algorithms to be tested\n                                        and approved prior to\n                                        implementation.\n\n                                        Scanned tax table updates based on       No Relevant Exceptions Noted\n                                        programmed algorithms to confirm\n                                        they are tested and approved prior to\n                                        implementation.\n\n1.7   Programmed validation and edit    Confirmed through corroborative          No Relevant Exceptions Noted\n      checks identify erroneous data    inquiry with appropriate payroll\n                                        office management and functional\n                                        users that programmed validation and\n                                        edit checks identify erroneous data\n                                        entered directly into DCPS.\n\n                                        Scanned policies and procedures to       No Relevant Exceptions Noted\n                                        determine whether such policies\n                                        require programmed validation and\n                                        edit checks to identify erroneous data\n                                        entered directly into DCPS.\n                                        Observed programmed validation and       No Relevant Exceptions Noted\n                                        edit checks to confirm they identify\n                                        erroneous data entered directly into\n\n\n\n                                       35\n\x0c                                           DCPS.\n1.8   DCPS performs limit and              Confirmed through corroborative         No Relevant Exceptions Noted\n      reasonableness checks on employee    inquiry with appropriate payroll\n      earnings.                            office management and functional\n                                           users that programs perform limit and\n                                           reasonableness checks on employee\n                                           earnings.\n\n                                           Scanned policies and procedures to      Policies and procedures are not\n                                           determine whether such policies         detailed with specific guidance\n                                           require programs to perform limit       requiring that programs perform limit\n                                           and reasonableness checks on            and reasonableness checks. However,\n                                           employee earnings.                      our testing confirms limit and\n                                                                                   reasonableness checks exist.\n                                           Scanned a limit and reasonableness      No Relevant Exceptions Noted\n                                           report to confirm reasonableness\n                                           checks are performed on employee\n                                           earnings.\n1.9   Summary payroll reports including    Confirmed through corroborative         No Relevant Exceptions Noted\n      total disbursements,                 inquiry with appropriate payroll\n      Retirement, TSP, Bonds, and other    office management and functional\n      withholdings) are reviewed and       users that summary payroll reports\n      approved by management prior to      including total disbursements,\n      disbursement.                        Retirement, TSP, Bonds, and other\n                                           withholdings) are reviewed and\n                                           approved by management prior to\n                                           disbursement.\n                                           Scanned policies and procedures to      Policies and procedures are not\n                                           confirm that summary payroll reports    detailed with specific guidance\n                                           (including total disbursements,         requiring that summary payroll reports\n                                           Retirement, TSP, Bonds, and other       (including total disbursements,\n                                           withholdings) are to be reviewed and    Retirement, TSP, Bonds, and other\n                                           approved by management prior to         withholdings) be reviewed by\n                                           disbursement.                           management prior to disbursement.\n                                                                                   However, our testing in Denver and\n\n\n\n                                          36\n\x0c                                                                                     Pensacola confirms reports are\n                                                                                     approved by management prior to\n                                                                                     disbursement.\n                                              Inspected haphazard sample of \xe2\x80\x9c592\xe2\x80\x9d    In the Charleston payroll office, the\n                                              payroll reports (including total       persons who perform the\n                                              disbursements,                         reconciliation also perform the\n                                              Retirement, TSP, Bonds, and other      disbursement release creating the risk\n                                              withholdings) to confirm that they     that disbursements could be sent to\n                                              are reviewed and approved by           DFAS Cleveland for disbursement\n                                              management prior to disbursement.      without proper approval. However,\n                                                                                     through corroborative inquiry of\n                                                                                     DFAS Charleston and DFAS\n                                                                                     Cleveland personnel, we confirmed\n                                                                                     that DFAS Cleveland has final\n                                                                                     responsibility for the disbursement of\n                                                                                     funds including net pay and requires a\n                                                                                     signed copy of the reconciliation\n                                                                                     before disbursement\n\n                                                                                     In addition, during our testing we\n                                                                                     noted that original signed copies of the\n                                                                                     reconciliation forms which are sent to\n                                                                                     DFAS Cleveland are not consistently\n                                                                                     maintained at payroll office.\n1.10   Overtime hours worked and              Confirmed through corroborative        No Relevant Exceptions Noted\n       payments for such overtime are         inquiry with appropriate payroll\n       authorized by management for all       office management and functional\n       salaried employees who are paid for    users that overtime hours worked and\n       overtime.                              payments for such overtime are\n                                              authorized by management for\n                                              salaried employees who are paid for\n                                              overtime.\n                                              Scanned policies and procedures to     Policies and procedures are not\n                                              confirm that overtime hours worked     detailed with specific guidance\n                                              and payments for such overtime are     governing the approval of overtime\n\n\n\n                                             37\n\x0c                                                  authorized by management for             hours. However, we observed the\n                                                  salaried employees who are paid for      performance of procedures that\n                                                  overtime.                                indicate reports are sent to\n                                                                                           departmental managers for review.\n                                                  Scanned control of hours report to       No Relevant Exceptions Noted\n                                                  confirm they are sent to management\n                                                  for salaried employees who are paid\n                                                  for overtime\n1.11   Program code and criteria for tests of     Confirmed through corroborative          No Relevant Exceptions Noted\n       critical calculations are protected        inquiry with appropriate payroll\n       from unauthorized modifications.           office management and functional\n                                                  users that program code and criteria\n                                                  for tests of critical calculations are\n                                                  protected from unauthorized\n                                                  modifications.\n                                                  Scanned policies and procedures to       No Relevant Exceptions Noted\n                                                  confirm that program code and\n                                                  criteria for tests of critical\n                                                  calculations are protected from\n                                                  unauthorized modifications.\n                                                  Observed program code and criteria       No Relevant Exceptions Noted\n                                                  for tests of critical calculations to\n                                                  confirm that the code and criteria is\n                                                  protected from unauthorized\n                                                  modifications.\n1.12   Overriding or bypassing data               Confirmed through corroborative          No Relevant Exceptions Noted\n       validation and editing is restricted to    inquiry with appropriate payroll\n       supervisors and then only in a limited     office management and functional\n       number of acceptable circumstances.        users that overriding or bypassing\n                                                  data validation and editing is\n                                                  restricted to supervisors and then\n                                                  only in a limited number of\n                                                  acceptable circumstances.\n                                                  Scanned policies and procedures to       No Relevant Exceptions Noted\n                                                  identify guidance for overriding or\n\n\n\n                                                 38\n\x0c                                                                                 bypassing data validation and editing,\n                                                                                 consistent with our discussions with\n                                                                                 staff.\n                                                                                 Observed DCPS processing to              No Relevant Exceptions Noted\n                                                                                 confirm that overriding or bypassing\n                                                                                 data validation and editing is\n                                                                                 restricted to supervisors and then\n                                                                                 only in a limited number of\n                                                                                 acceptable circumstances.\n1.13                                    Every override is automatically          Confirmed through corroborative          No Relevant Exceptions Noted\n                                        logged by the application so that the    inquiry with appropriate payroll\n                                        action can be analyzed for               office management and functional\n                                        appropriateness and correctness.         users that every override is\n                                                                                 automatically logged by the\n                                                                                 application so that the action can be\n                                                                                 analyzed for appropriateness and\n                                                                                 correctness\n                                                                                 Scanned policies and procedures to       No Relevant Exceptions Noted\n                                                                                 identify guidance for overriding or\n                                                                                 bypassing data validation and editing,\n                                                                                 consistent with our discussions with\n                                                                                 staff.\n                                                                                 Observed input into DCPS and noted       No Relevant Exceptions Noted\n                                                                                 no overrides were needed.\n\nControl Objective APP-2                 Control Activity                         Test of Controls                         Test Results\nControls provide reasonable assurance   All payroll queries are followed up      Confirmed through corroborative          No Relevant Exceptions Noted\nthat only valid, authorized employees   by persons independent of the payroll    inquiry with appropriate payroll\nare paid.                               preparation and disbursement process     office management and functional\n                                                                                 users that payroll queries are\n                                                                                 followed up by the Customer Service\n                                                                                 Department which is independent of\n                                                                                 the payroll preparation and\n                                                                                 disbursement process\n                                                                                 Scanned policies and procedures to       Policies and procedures are not\n\n\n\n                                                                                39\n\x0c                                               confirm that payroll queries are to be   detailed with specific guidance\n                                               followed up by persons independent       governing the need for payroll queries\n                                               of the payroll preparation and           to be followed up by persons\n                                               disbursement process                     independent of the payroll process\n                                                                                        However, our testing confirms that\n                                                                                        queries are reviewed by persons\n                                                                                        independent of the payroll process.\n.                                              Inspected a haphazard sample of          No Relevant Exceptions Noted\n                                               payroll queries to confirm they are\n                                               followed up by persons independent\n                                               of the payroll preparation and\n                                               disbursement process.\n2.2   Access to the payroll bank transfer      Confirmed through corroborative          No Relevant Exceptions Noted\n      tape is restricted to authorized         inquiry with appropriate payroll\n      personnel.                               office management and functional\n                                               users that access to the payroll bank\n                                               transfer tape is restricted to\n                                               authorized personnel.\n                                               Scanned policies and procedures to       No Relevant Exceptions Noted\n                                               confirm that access to the payroll\n                                               bank transfer tape is required to be\n                                               restricted to authorized personnel.\n                                               Inspected access listing to confirm      No Relevant Exceptions Noted\n                                               access to the payroll bank transfer\n                                               tape is restricted to authorized\n                                               personnel.\n2.3   Payroll master file and withholding      Confirmed through corroborative          No Relevant Exceptions Noted\n      data tables are periodically reviewed    inquiry with appropriate payroll\n      for accuracy and ongoing pertinence.     office management and functional\n                                               users, Payroll master files are\n                                               periodically reviewed for accuracy\n                                               and ongoing pertinence.\n                                               Scanned policies and procedures to       Policies and procedures are not\n                                               confirm that master files are required   detailed with specific guidance\n                                               to be periodically reviewed.             governing the need for payroll master\n\n\n\n                                              40\n\x0c                                                                                         file data to be periodically reviewed\n                                                                                         for ongoing pertinence. However, our\n                                                                                         testing confirms payroll master file\n                                                                                         data are periodically reviewed for\n                                                                                         ongoing pertinence.\n                                               Scanned Online Line Query (OLQs)          No Relevant Exceptions Noted\n                                               and reports to determine that master\n                                               files are periodically reviewed.\n2.4   Departmental managers periodically       Confirmed through corroborative           No Relevant Exceptions Noted\n      review listings of current employees     inquiry with appropriate payroll\n      within their departments and notify      office management and functional\n      the personnel department of changes.     users, Departmental managers\n                                               periodically review listings of current\n                                               employees within their departments\n                                               and notify the personnel department\n                                               of changes.\n                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                               confirm that managers are required to\n                                               periodically review employee listings\n                                               and notify personnel departments of\n                                               any changes.\n                                               Scanned Personnel/Payroll                 No Relevant Exceptions Noted\n                                               Reconciliation and Control of Hours\n                                               Reports to confirm they are sent to\n                                               management for review of employee\n                                               listings and notification to personnel\n                                               department of changes.\n2.5   A control log of output product errors   Confirmed through corroborative           No Relevant Exceptions Noted\n      is maintained, including the             inquiry with appropriate payroll\n      corrective actions taken.                office management and functional\n                                               users, a control log of output product\n                                               errors is maintained, including the\n                                               corrective actions taken\n                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                               identify the requirement for a control\n\n\n\n                                             41\n\x0c                                               log of output product errors that are\n                                               maintained, including the corrective\n                                               actions taken.\n                                               Scanned control log of output             There is no preparer or supervisor\n                                               product errors, known as the              sign-off on the control log.\n                                               Personnel Interface Invalid report, to    No details of corrective actions taken.\n                                               confirm it is maintained, including       However, reports are reviewed on a\n                                               the corrective actions taken.             daily basis.\n2.6   Payroll input data is edited and         Confirmed through corroborative           No Relevant Exceptions Noted\n      validated; identified errors are         inquiry with appropriate payroll\n      corrected promptly.                      office management and functional\n                                               users, payroll interface input data is\n                                               edited and validated; identified errors\n                                               are corrected promptly.\n                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                               identify a requirement that the\n                                               payroll interface input data is edited\n                                               and validated; identified errors are\n                                               corrected promptly.\n                                               Scanned the Personnel Interface           Although testing confirmed that\n                                               Invalid report of missing or duplicate    reports are reviewed and worked on\n                                               transactions to confirm items are         daily basis, we noted that corrective\n                                               investigated and resolved timely.         actions are not sufficiently\n                                                                                         documented and that the preparer or\n                                                                                         supervisor sign-off is not consistently\n                                                                                         applied.\n2.7   Time reported by employees is            Confirmed through corroborative           No Relevant Exceptions Noted\n      reconciled regularly between clock       inquiry with appropriate payroll\n      cards/timesheets and payroll reports.    office management and functional\n                                               users that time reported by\n                                               employees is reconciled regularly\n                                               between clock cards/timesheets and\n                                               payroll reports.\n                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                               determine whether such policies\n\n\n\n                                              42\n\x0c                                                                                require that time reported by\n                                                                                employees is to be reconciled\n                                                                                regularly between clock\n                                                                                cards/timesheets and payroll reports.\n                                                                                Scanned report of time reported by        No Relevant Exceptions Noted\n                                                                                employees to confirm that it is\n                                                                                reconciled regularly between clock\n                                                                                cards/timesheets and payroll reports.\n\nControl Objective APP -3                Control Activity                        Test of Controls                          Test Results\nControls provide reasonable assurance   For batch application systems,          Confirmed through corroborative           No Relevant Exceptions Noted\nof the reliability of DCPS data for     batches are processed in sequence.      inquiry with appropriate TSO office\nfinancial reporting purposes. Data      Batch processing is observed real       management and functional users\nvalidation and editing are performed    time to ensure jobs process             that batch processing is performed in\nto identify erroneous data. Erroneous   appropriately.                          sequence. Scheduled jobs are\ndata are captured, reported,                                                    monitored to ensure they are\ninvestigated, and corrected.                                                    processing according to schedule.\n                                                                                Scanned policies and procedures to        No Relevant Exceptions Noted\n                                                                                determine for batch application\n                                                                                systems, batches are processed in\n                                                                                sequence. Batch processing is\n                                                                                observed real time to ensure jobs\n                                                                                process appropriately.\n.                                                                               Observed batch process monitoring         No Relevant Exceptions Noted\n                                                                                and noted that batch processing is\n                                                                                monitored real time and batches are\n                                                                                processed in sequence.\n3.2                                     Record counts and control totals are    Confirmed through corroborative           No Relevant Exceptions Noted\n                                        established over the suspense file.     inquiry with appropriate TSO office\n                                                                                management and functional users,\n                                                                                that record counts and control totals\n                                                                                are established over the suspense file.\n                                                                                Scanned policies and procedures to        No Relevant Exceptions Noted\n                                                                                confirm that record counts and\n                                                                                control totals are established over the\n\n\n\n                                                                               43\n\x0c                                             suspense file.\n                                             Inspected record counts and control       No Relevant Exceptions Noted\n                                             totals to confirm they are established\n                                             over the suspense file.\n3.3   A control group is responsible for     Confirmed through corroborative           No Relevant Exceptions Noted\n      controlling and monitoring rejected    inquiry with appropriate payroll\n      transactions                           office management and functional\n                                             users that a control group is\n                                             responsible for controlling and\n                                             monitoring rejected transactions\n                                             Scanned policies and procedures to        No Relevant Exceptions Noted\n                                             determine that a control group is\n                                             responsible for controlling and\n                                             monitoring rejected transactions\n                                             Scanned the Personnel Interface           No Relevant Exceptions Noted\n                                             Invalid report to confirm the report is\n                                             used for controlling and monitoring\n                                             rejected transactions.\n3.4   Authorization profiles effectively     Confirmed through corroborative           No Relevant Exceptions Noted\n      protect the suspense file from         inquiry with appropriate payroll\n      unauthorized access and                office management and functional\n      modification.                          users that authorization profiles\n                                             effectively protect the suspense file\n                                             from unauthorized access and\n                                             modification.\n                                             Scanned policies and procedures to        No Relevant Exceptions Noted\n                                             confirm that general controls\n                                             effectively protect the suspense file\n                                             from unauthorized access and\n                                             modification\n                                             Observed authorization profiles to        No Relevant Exceptions Noted\n                                             confirm that they effectively protect\n                                             the suspense file from unauthorized\n                                             access and modification\n3.5   Rejected data are automatically        Confirmed through corroborative           No Relevant Exceptions Noted\n\n\n\n                                            44\n\x0cwritten on an automated error             inquiry with appropriate payroll\nsuspense file and held until corrected,   office management and functional\nand each erroneous transaction is         users that rejected data are\nannotated with codes indicating the       automatically written on an\ntype of data error, date and time the     automated error suspense file and\ntransaction was processed and the         held until corrected, and each\nerror identified, and the identity of     erroneous transaction is annotated\nthe user who originated the               with codes indicating the type of data\ntransaction.                              error, date and time the transaction\n                                          was processed and the error\n                                          identified, and the identity of the user\n                                          who originated the transaction.\n                                          Scanned policies and procedures to         No Relevant Exceptions Noted\n                                          confirm that rejected data are\n                                          required to be automatically written\n                                          on an automated error suspense file\n                                          and held until corrected, and each\n                                          erroneous transaction is annotated\n                                          with codes indicating the type of data\n                                          error, date and time the transaction\n                                          was processed and the error\n                                          identified, and the identity of the user\n                                          who originated the transaction.\n                                          Scanned the Personnel Interface            No Relevant Exceptions Noted\n                                          Invalid report of rejected data to\n                                          confirm that the rejected data are\n                                          automatically written on an\n                                          automated error suspense file and\n                                          held until corrected, and each\n                                          erroneous transaction is annotated\n                                          with codes indicating the type of data\n                                          error, date and time the transaction\n                                          was processed and the error\n                                          identified, and the identity of the user\n                                          who originated the transaction.\n\n\n\n                                      45\n\x0c3.6   The suspense file is purged of           Confirmed through corroborative           No Relevant Exceptions Noted\n      transactions as they are corrected.      inquiry with appropriate payroll\n                                               office management and functional\n                                               users that the suspense file is purged\n                                               of transactions as they are corrected.\n                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                               determine that the suspense file is\n                                               purged of transactions as they are\n                                               corrected.\n                                               Scanned the Personnel Interface           Although testing confirmed that\n                                               Invalid report of missing or duplicate    reports are reviewed and worked on\n                                               transactions and through                  daily basis, we noted that corrective\n                                               corroborative inquiry confirmed the       actions are not sufficiently\n                                               suspense file is purged of                documented and that the preparer or\n                                               transactions as they are corrected.       supervisor sign-off is not consistently\n                                                                                         applied.\n3.7   The suspense file is used to produce,    Confirmed through corroborative           No Relevant Exceptions Noted\n      on a regular basis and for               inquiry with appropriate payroll\n      management review, an analysis of        office management and functional\n      the level and type of transaction        users that the suspense file is used to\n      errors and the age of uncorrected        produce, on a regular basis and for\n      transactions.                            management review, an analysis of\n                                               the level and type of transaction\n                                               errors and the age of uncorrected\n                                               transactions.\n                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                               confirm that the suspense file is\n                                               required to be used to produce, on a\n                                               regular basis and for management\n                                               review, an analysis of the level and\n                                               type of transaction errors and the age\n                                               of uncorrected transactions.\n                                               Scanned the Personnel Invalid Report      No Relevant Exceptions Noted\n                                               to confirm the report is used to\n                                               produce, on a regular basis and for\n\n\n\n                                              46\n\x0c                                                  management review, an analysis of\n                                                  the level and type of transaction\n                                                  errors and the age of uncorrected\n                                                  transactions.\n3.8    Error reports or error files accessible    Confirmed through corroborative           No Relevant Exceptions Noted\n       by computer terminal show rejected         inquiry with appropriate payroll\n       transactions with error messages that      office management and functional\n       have clearly understandable                users that error reports or error files\n       corrective actions for each type of        accessible by computer terminal\n       error.                                     show rejected transactions with error\n                                                  messages that have clearly\n                                                  understandable corrective actions for\n                                                  each type of error.\n                                                  Scanned policies and procedures to        No Relevant Exceptions Noted\n                                                  confirm that error reports or error\n                                                  files accessible by computer terminal\n                                                  are required to show rejected\n                                                  transactions with error messages that\n                                                  have clearly understandable\n                                                  corrective actions for each type of\n                                                  error.\n                                                  Scanned error reports or error files      No Relevant Exceptions Noted\n                                                  accessible by computer terminal to\n                                                  confirm they show rejected\n                                                  transactions with error messages that\n                                                  have clearly understandable\n                                                  corrective actions for each type of\n                                                  error.\n3.09   All corrections are reviewed and           Confirmed through corroborative           There is no supervisor signature on\n       approved by supervisors before the         inquiry with appropriate payroll          error report to signify review of\n       corrections are reentered.                 office management and functional          technician\xe2\x80\x99s corrective actions.\n                                                  users that corrections are reviewed       However, reports are reviewed on a\n                                                  and approved by supervisors before        daily basis.\n                                                  the corrections are reentered.\n                                                  Scanned policies and procedures to        Policies and procedures are not\n\n\n\n                                                 47\n\x0c                                                                                    confirm that corrections are to be        detailed with specific guidance\n                                                                                    reviewed and approved by                  requiring corrections to be reviewed\n                                                                                    supervisors before the corrections are    and approved by supervisors.\n                                                                                    reentered.                                However, we observed the\n                                                                                                                              performance of procedures that\n                                                                                                                              indicate corrections are reviewed and\n                                                                                                                              approved by Supervisors.\n                                                                                    Scanned error report, Personnel           Although testing confirmed that\n                                                                                    Interface Invalid, to confirm the         reports are reviewed and worked on\n                                                                                    report is reviewed and approved by        daily basis, we noted that corrective\n                                                                                    supervisors before the corrections are    actions are not sufficiently\n                                                                                    reentered.                                documented and that the preparer or\n                                                                                                                              supervisor sign-off is not consistently\n                                                                                                                              applied.\n\nControl Objective APP-4                    Control Activity                         Test of Controls                          Test Results\nControls provide reasonable assurance      Payroll transactions at, before, or      Confirmed through corroborative           No Relevant Exceptions Noted\nthat capabilities exist for fiscal year-   after the end of an accounting period    inquiry with appropriate payroll\nend, leave-year-end and calendar year-     are scrutinized and/or reconciled to     office management and functional\nend processing and forfeitures in          ensure complete and consistent           users, that payroll transactions at the\naccordance with established                recording in the appropriate             end of a payroll cycle are reconciled\nGovernment-wide and agency                 accounting period                        to ensure complete and consistent\nguidelines. Controls provide                                                        recording in the appropriate\nreasonable assurance that current- or                                               accounting period.\nprior-period adjustments to employee\'s\npay, i.e. employee debt, tax deduction\nor deductions not taken, are reported,\nreconciled and approved.\n                                                                                    Scanned policies and procedures to        Policies and procedures are not\n                                                                                    confirm that payroll transactions at,     detailed with specific guidance\n                                                                                    before, or after the end of an            requiring \xe2\x80\x9c592\xe2\x80\x9d reconciliations be\n                                                                                    accounting period are required to be      performed in the appropriate\n                                                                                    scrutinized and/or reconciled to          accounting period. However, , our\n                                                                                    ensure complete and consistent            testing confirms we observed the\n                                                                                    recording in the appropriate              performance of procedures that\n\n\n\n                                                                                   48\n\x0c                                              accounting period.                        indicate the reconciliations are\n                                                                                        performed in the appropriate\n                                                                                        accounting period.\n                                              Inspected haphazard sample of \xe2\x80\x9c592\xe2\x80\x9d       No Relevant Exceptions Noted\n                                              payroll reconciliations at the end of a\n                                              payroll cycle to confirm they are\n                                              reconciled to ensure complete and\n                                              consistent recording in the\n                                              appropriate accounting period.\n4.2   Payroll withholding table data is       Confirmed through corroborative           No Relevant Exceptions Noted\n      periodically reviewed for compliance    inquiry with appropriate payroll\n      with statutory requirements.            office management and functional\n                                              users, payroll withholding table data\n                                              is periodically reviewed for\n                                              compliance with statutory\n                                              requirements.\n                                              Scanned policies and procedures to        No Relevant Exceptions Noted\n                                              confirm that payroll withholding\n                                              table data is required to be\n                                              periodically reviewed for compliance\n                                              with statutory requirements\n                                              Inspected a haphazard sample of           No Relevant Exceptions Noted\n                                              payroll withholding table data\n                                              updates to confirm they are\n                                              periodically updated for compliance\n                                              with statutory requirements.\n4.3     The data processing control group,    Confirmed through corroborative           No Relevant Exceptions Noted\n      or some alternative                     inquiry with appropriate payroll\n      \xe2\x80\xa2has a schedule by application that     office management and functional\n      shows when outputs are to be            users, the data processing control\n      completed, when they need to be         group, or some alternative\n      distributed, who the recipients are,\n      and the copies needed;                  \xe2\x80\xa2   Has a schedule by application\n      \xe2\x80\xa2reviews output products for general        that shows when outputs are\n      acceptability; and                          completed, when they need to be\n\n\n\n                                             49\n\x0c      \xe2\x80\xa2reconciles control information to            distributed, who the recipients\n      determine completeness of                     are, and the copies needed;\n      processing.                              \xe2\x80\xa2 Review output products for\n                                                    general acceptability;\n                                               \xe2\x80\xa2 Reconciles control information\n                                                    to determine completeness of\n                                                    processing.\n                                               Scanned policies and procedures to        Policies and procedures are not\n                                               confirm that the data processing          detailed with specific guidance that a\n                                               control group, or some alternative,       data processing control group reviews\n                                               \xe2\x80\xa2 Has a schedule by application           output products and has a schedule of\n                                                    that shows when outputs need to      completed outputs. However, our\n                                                    be completed, when they need to      testing confirms a data processing\n                                                    be distributed, who the recipients   control group reviews product outputs.\n                                                    are, and the copies needed;\n                                               \xe2\x80\xa2 Reviews output products for\n                                                    general acceptability;\n                                               \xe2\x80\xa2 Reconciles control information\n                                                    to determine completeness of\n                                                    processing.\n                                               Scanned schedules used by the data        No Relevant Exceptions Noted\n                                               processing group, to confirm they\n                                               \xe2\x80\xa2 Have a schedule by application\n                                                    that shows when outputs need to\n                                                    be completed, when they need to\n                                                    be distributed, who the recipients\n                                                    are, and the copies needed;\n                                               \xe2\x80\xa2 Reviews output products for\n                                                    general acceptability;\n                                               \xe2\x80\xa2 Reconcile control information to\n                                                    determine completeness of\n                                                    processing\n4.4   Users review output reports for data     Confirmed through corroborative           No Relevant Exceptions Noted\n      accuracy, validity, and completeness.    inquiry with appropriate payroll\n      The reports include                      office management and functional\n\n\n\n                                              50\n\x0c      \xe2\x80\xa2error reports\xe2\x80\xa2                    users, users review output reports for\n      \xe2\x80\xa2master record change reports,     data accuracy, validity, and\n      \xe2\x80\xa2exception reports                 completeness. The reports include\n                                          \xe2\x80\xa2 Error reports;\n                                          \xe2\x80\xa2 Master record change reports;\n                                          \xe2\x80\xa2 Exception reports.\n                                         Scanned policies and procedures to       Policies and procedures were not\n                                         determine whether such policies          detailed with specific guidance that\n                                         require users to review output reports   output errors included error and\n                                         for data accuracy, validity, and         transaction reports, and master record\n                                         completeness. The reports include        change reports. However, our testing\n                                         \xe2\x80\xa2 Error reports;                         confirms that output errors include\n                                         \xe2\x80\xa2 Master record change reports;          error and transaction reports.\n                                         \xe2\x80\xa2 Exception reports.\n                                         Scanned the Personnel Interface          No Relevant Exceptions Noted\n                                         Invalid report users review for output\n                                         to confirm the reports are reviewed\n                                         data accuracy, validity, and\n                                         completeness. The reports include\n                                         \xe2\x80\xa2 Error reports;\n                                         \xe2\x80\xa2 Master record change reports;\n                                         \xe2\x80\xa2 Exception reports.\n4.5   Programmed validation and edit     Confirmed through corroborative          No Relevant Exceptions Noted\n      checks identify erroneous data.    inquiry with appropriate payroll\n                                         office management and functional\n                                         users, that programmed validation\n                                         and edit checks identify erroneous\n                                         data entered directly into DCPS.\n                                         Scanned policies and procedures to       No Relevant Exceptions Noted\n                                         confirm that programmed validation\n                                         and edit checks identify erroneous\n                                         data are required to be entered\n                                         directly into DCPS\n                                         Observed programmed validation and       No Relevant Exceptions Noted\n                                         edit checks to confirm that they\n\n\n\n                                        51\n\x0c                                               identify erroneous data entered\n                                               directly into DCPS.\n4.6   The detailed payroll reconciliation      Confirmed through corroborative           No Relevant Exceptions Noted\n      shows pertinent data describing the      inquiry with appropriate payroll\n      payroll (including total                 office management and functional\n      disbursements,                           users, that the detailed payroll\n      Retirement, Thrift Savings Plan          reconciliation shows pertinent data\n      (TSP), Bonds, and other                  describing the payroll (including total\n      withholdings) and the related            disbursements,\n      balances are reconciled, in a timely     Retirement, (TSP), Bonds, and other\n      manner, to corresponding general         withholdings) and the related\n      ledger accounts within DCPS. All         balances are reconciled, in a timely\n      reconciling items are investigated and   manner, to corresponding general\n      cleared on a timely basis, prior to      ledger accounts within DCPS.\n      disbursement                             Reconciling items are investigated\n                                               and cleared on a timely basis, prior to\n                                               disbursement.\n                                               Scanned policies and procedures to        Policies and procedures are not\n                                               confirm that the detailed payroll         detailed with specific guidance\n                                               records show pertinent data               requiring \xe2\x80\x9c592\xe2\x80\x9d reconciliations be\n                                               describing the payroll (including total   performed and how to handle\n                                               compensation, related income taxes,       reconciling items. However our\n                                               and other withholdings) and the           testing confirms that reconciling items\n                                               related balances are to be reconciled,    are handled appropriately.\n                                               in a timely manner, to corresponding\n                                               general ledger accounts or entries by\n                                               persons who do not have unrestricted\n                                               access to cash; and reconciling items\n                                               are investigated and cleared on a\n                                               timely basis.\n                                               Inspected haphazard sample of \xe2\x80\x9c592\xe2\x80\x9d       No Relevant Exceptions Noted\n.                                              reconciliation for each database and\n                                               noted detailed payroll records show\n                                               pertinent data describing the payroll\n                                               (including total compensation,\n\n\n\n                                           52\n\x0c related income taxes, and other\n withholdings) and the related\n balances are reconciled, in a timely\n manner, to corresponding general\n ledger accounts or entries by persons\n who do not have unrestricted access\n to cash. Reconciling items are\n investigated and cleared on a timely\n basis.\n\n\n\n\n53\n\x0cControl Objective APP-5                    Control Activity                           Test of Controls                        Test Results\nControls provide reasonable assurance      All transactions are logged as             Confirmed through corroborative         No Relevant Exceptions Noted\nthat data transmissions between DCPS       entered, along with the terminal ID        inquiry with appropriate payroll\nand user organizations are authorized,     and the ID of the person entering the      office management and functional\ncomplete, accurate and secure. All         data.                                      users that transactions are logged as\napplication users are appropriately                                                   entered, along with the terminal ID\nidentified and authenticated. Access to                                               and the ID of the person entering the\nthe application and output is restricted                                              data.\nto authorized users for authorized\npurposes.\n                                                                                      Scanned policies and procedures to      No Relevant Exceptions Noted\n                                                                                      confirm that transactions are to be\n                                                                                      logged as entered, along with the\n                                                                                      terminal ID and the ID of the person\n                                                                                      entering the data.\n                                                                                      Observed the operation of the           No Relevant Exceptions Noted\n                                                                                      system, including the most recent\n                                                                                      alerts. Interviewed the personnel\n                                                                                      monitoring the system to determine\n                                                                                      their knowledge of the procedures.\n                                                                                      Scanned manually maintained logs\n                                                                                      and records to determine that the\n                                                                                      appropriate audit functions are being\n                                                                                      performed.\n5.2                                        Significant fields are rekeyed or error    Confirmed through corroborative         No Relevant Exceptions Noted\n                                           messages are available to verify the       inquiry with appropriate payroll\n                                           accuracy of data entry.                    office management and functional\n                                                                                      users that significant fields are\n                                                                                      rekeyed or error messages are\n                                                                                      available to verify the accuracy of\n                                                                                      data entry.\n                                                                                      Scanned policies and procedures to      No Relevant Exceptions Noted\n                                                                                      confirm that they require significant\n                                                                                      fields are rekeyed or error messages\n\n\n\n                                                                                     54\n\x0c                                                are available to verify the accuracy of\n                                                data entry.\n                                                Observed significant fields and noted     No Relevant Exceptions Noted\n                                                error messages are available to verify\n                                                the accuracy of data entry.\n5.3   Effective use is made of automated        Confirmed through corroborative           No Relevant Exceptions Noted\n      entry or error detection mechanisms       inquiry with appropriate payroll\n      to reduce the potential for data entry    office management and functional\n      errors.                                   users effective use is made of\n                                                automated entry or error detection\n                                                mechanisms to reduce the potential\n                                                for data entry errors.\n                                                Scanned policies and procedures to        No Relevant Exceptions Noted\n                                                confirm that effective use is made of\n                                                automated entry or error detection\n                                                mechanisms are required to reduce\n                                                the potential for data entry errors.\n                                                Observed user entering data to            No Relevant Exceptions Noted\n                                                confirm error reporting exists.\n5.4   On-line access logs are maintained        Confirmed through corroborative           No Relevant Exceptions Noted\n      by the system, and the logs are           inquiry with appropriate payroll\n      reviewed regularly for unauthorized       office management and functional\n      access attempts.                          users that on-line access logs are\n                                                maintained by the system, and the\n                                                logs are reviewed regularly for\n                                                unauthorized access attempts.\n                                                Scanned policies and procedures to        No Relevant Exceptions Noted\n                                                confirm that on-line access logs are\n                                                required to be maintained by the\n                                                system, and the logs are reviewed\n                                                regularly for unauthorized access\n                                                attempts.\n                                                Scanned haphazard sample of e-mail        No Relevant Exceptions Noted\n                                                for unauthorized access attempts to\n                                                confirm that they are maintained by\n\n\n\n                                               55\n\x0c                                               the SMO, and the logs are reviewed\n                                               regularly for unauthorized access\n                                               attempts.\n5.5   Each operator is required to have a      Confirmed through corroborative          No Relevant Exceptions Noted\n      completed and approved                   inquiry with appropriate payroll\n      authorization form before being          office management and functional\n      granted access to the system.            users, that each operator is required\n                                               to have an authorization form before\n                                               being granted access to the system.\n                                               Scanned policies and procedures to       No Relevant Exceptions Noted\n                                               confirm that each operator is required\n                                               to have an authorization form before\n                                               being granted access to the system.\n\n                                               Inspected a haphazard sample of user     Out of twenty-three user authorization\n                                               authorization forms to confirm that      forms selected for testing in\n                                               each operator is required to have an     Charleston, noted one where the user\xe2\x80\x99s\n                                               authorization form before being          form could not be located and ten\n                                               granted access to the system.            where access granted could not match\n                                                                                        access approved.\n\n                                                                                        Out of nineteen user authorization\n                                                                                        forms selected for testing Pensacola,\n                                                                                        noted one account where an\n                                                                                        authorization form did not exist, and\n                                                                                        two where access granted did not\n                                                                                        match access provided.\n\n                                                                                        For those whose access represented\n                                                                                        supervisor or equivalent access,\n                                                                                        management concurred with the level\n                                                                                        of access provided.\n5.6   Supervisors sign on to each terminal     Confirmed through corroborative          No Relevant Exceptions Noted\n      device, or authorize terminal usage      inquiry with appropriate payroll\n      from a program file server, before an    office management and functional\n\n\n\n                                              56\n\x0c      operator can sign on to begin work       users, that Supervisors sign on to\n      for the day.                             each terminal device, or authorize\n                                               terminal usage from a program file\n                                               server, before an operator can sign on\n                                               to begin work for the day.\n                                               Scanned policies and procedures to       No Relevant Exceptions Noted\n                                               confirm that Supervisors are required\n                                               to sign on to each terminal device, or\n                                               authorize terminal usage from a\n                                               program file server, before an\n                                               operator can sign on to begin work\n                                               for the day.\n                                               Observed sign on process to confirm      No Relevant Exceptions Noted\n                                               that Supervisors sign on to each\n                                               terminal device, or authorize terminal\n                                               usage from a program file server,\n                                               before an operator can sign on to\n                                               begin work for the day.\n5.7   Data entry terminals are connected to    Confirmed through corroborative          No Relevant Exceptions Noted\n      the system only during specified         inquiry with appropriate payroll\n      periods of the day, which                office management and functional\n      corresponds with the business hours      users, that data entry terminals are\n      of the data entry personnel.             connected to the system only during\n                                               specified periods of the day, which\n                                               corresponds with the business hours\n                                               of the data entry personnel.\n                                               Scanned policies and procedures          No Relevant Exceptions Noted\n                                               confirm that data entry terminals are\n                                               to be connected to the system only\n                                               during specified periods of the day,\n                                               which corresponds with the business\n                                               hours of the data entry personnel.\n                                               Observed after-hours processes to        No Relevant Exceptions Noted\n                                               confirm terminals are not authorized\n                                               to be connected after business hours.\n\n\n\n                                              57\n\x0c5.8    Each terminal automatically             Confirmed through corroborative          No Relevant Exceptions Noted\n       disconnects from the system when        inquiry with appropriate payroll\n       not used after a specified period of    office management and functional\n       time.                                   users, that each terminal\n                                               automatically disconnects from the\n                                               system when not used after a\n                                               specified period of time.\n                                               Scanned policies and procedures to       No Relevant Exceptions Noted\n                                               confirm that each terminal is required\n                                               to automatically disconnect from the\n                                               system when not used after a\n                                               specified period of time.\n                                               Observed system inactivity to            No Relevant Exceptions Noted\n                                               confirm that each terminal\n                                               automatically disconnects from the\n                                               system when not used after a\n                                               specified period of time.\n5.9    When terminals are not in use,          Confirmed through corroborative          No Relevant Exceptions Noted\n       terminal rooms are locked, or the       inquiry with appropriate payroll\n       terminals are capable of being          office management and functional\n       secured.                                users, that when terminals are not in\n                                               use, terminal rooms are locked, or the\n                                               terminals are capable of being\n                                               secured.\n                                               Scanned policies and procedures to       No Relevant Exceptions Noted\n                                               determine that when terminals are not\n                                               in use, terminal rooms are required to\n                                               be locked, or the terminals are\n                                               capable of being secured.\n                                               Observed the facilities confirm that     No Relevant Exceptions Noted\n                                               when terminals are not in use,\n                                               terminal rooms are locked, or the\n                                               terminals are capable of being\n                                               secured.\n5.10   Data entry terminals are located in     Observed that data entry terminals       No Relevant Exceptions Noted\n\n\n\n                                              58\n\x0c       physically secure rooms.                 are located in physically secure\n                                                rooms\n                                                Scanned policies and procedures to      No Relevant Exceptions Noted\n                                                confirm that data entry terminals are\n                                                required to be located in physically\n                                                secure rooms.\n                                                Observed the facilities to confirm      No Relevant Exceptions Noted\n                                                that data entry terminals are located\n                                                in physically secure rooms.\n5.11   Remote terminal connections are          Confirmed through corroborative         Users have the ability to logon from\n       secured and are connected via            inquiry with appropriate payroll        home via remote connection from\n       government computers                     office management and functional        their non-government issued personal\n                                                users, that remote terminal             computers. However, in order to gain\n                                                connections are secured and are         access to DCPS all users must also\n                                                connected via government computers      authenticate with a valid DCPS\n                                                                                        username and password regardless of\n                                                                                        whether they connect remotely or\n                                                                                        from their office.\n                                                Scanned policies and procedures to      No Relevant Exceptions Noted\n                                                confirm that remote terminal\n                                                connections are required to be\n                                                secured and are connected via\n                                                government computers\n                                                Observed remote terminal                Users have the ability to logon from\n                                                connections to confirm they are         home via remote connection from\n                                                secured and are connected via           their non-government issued personal\n                                                government computers                    computers. However, in order to gain\n                                                                                        access to DCPS all users must also\n                                                                                        authenticate with a valid DCPS\n                                                                                        username and password regardless of\n                                                                                        whether they connect remotely or\n                                                                                        from their office.\n5.12   Authorization profiles over terminals    Confirmed through corroborative         No Relevant Exceptions Noted\n       limit what transactions can be entered   inquiry with appropriate payroll\n       from a given terminal.                   office management and functional\n\n\n\n                                            59\n\x0c                                             users, that authorization profiles over\n                                             terminals limit what transactions can\n                                             be entered from a given terminal.\n                                             Scanned policies and procedures to        Policies and procedures are not\n                                             confirm that authorization profiles       detailed with specific guidance\n                                             over terminals are required to limit      restricting the number of accounts\n                                             what transactions can be entered          with Supervisor access or Master\n                                             from a given terminal.                    Employee Record (MER) update and\n                                                                                       Time and Attendance (T/A).access.\n                                                                                       However, our inquires confirm these\n                                                                                       accounts are given to authorized\n                                                                                       employees which DFAS feels need\n                                                                                       this level of access to perform their\n                                                                                       duties.\n                                             Inspected haphazard sample of user        No relevant exceptions noted,\n                                             authorization forms to confirm that       however in performing our tests we\n                                             authorization profiles limit what         noted that management had authorized\n                                             transactions can be entered from a        a large number of personnel to use\n                                             given terminal.                           personnel accounts. These numbers\n                                                                                       appear excessive given the access and\n                                                                                       responsibility these accounts maintain.\n                                                                                       In subsequent discussions with\n                                                                                       management, we noted these\n                                                                                       supervisor. accounts are provided to\n                                                                                       authorized employees which DFAS\n                                                                                       feels need this level of access to\n                                                                                       perform their duties.\n\n\n5.13   Authorization profiles over users     Confirmed through corroborative           No Relevant Exceptions Noted\n       limit what transactions data entry    inquiry with appropriate payroll\n       personnel can enter.                  office management and functional\n                                             users, that authorization profiles over\n                                             users limit what transactions data\n                                             entry personnel can enter.\n\n\n\n                                            60\n\x0c                                                                                    Scanned policies and procedures to         No Relevant Exceptions Noted\n                                                                                    confirm that user authorization\n                                                                                    profiles are required to limit what\n                                                                                    transactions data entry personnel can\n                                                                                    enter.\n                                                                                    Inspected haphazard sample of user         No Relevant Exceptions Noted\n                                                                                    authorization profiles to confirm they\n                                                                                    limit what transactions can be entered\n                                                                                    from a given terminal.\n5.14                                      Preformatted computer terminal            Confirmed through corroborative            No Relevant Exceptions Noted\n                                          screens are utilized and allow            inquiry with appropriate payroll\n                                          prompting for data to be entered, and     office management and functional\n                                          editing of data as it is entered.         users, that preformatted computer\n                                                                                    terminal screens are utilized and\n                                                                                    allows prompting for data to be\n                                                                                    entered, and editing of data as it is\n                                                                                    entered.\n                                                                                    Scanned policies and procedures to         No Relevant Exceptions Noted\n                                                                                    confirm that user authorization\n                                                                                    profiles are required to limit what\n                                                                                    transactions data entry personnel can\n                                                                                    enter.\n                                                                                    Observed haphazard sample of               No Relevant Exceptions Noted\n                                                                                    screen shot of preformatted computer\n                                                                                    terminal screens to confirm they are\n                                                                                    utilized and allow prompting for data\n                                                                                    to be entered, and editing of data as it\n                                                                                    is entered.\n\nControl Objective APP -6                  Control Activity                          Test of Controls                           Test Results\nControls are reasonable to ensure that    Computer generated record counts          Confirmed through corroborative            No Relevant Exceptions Noted\ntransactions from interfacing systems     and control totals are established over   inquiry with appropriate TSO office\nare subjected to the payroll system       and entered with batch transaction        management and functional users,\nedits, validations and error-correction   data, and reconciled to determine the     that record counts and control totals\nprocedures.                               completeness of data entry.               are established over and entered with\n\n\n\n                                                                                  61\n\x0c                                               batch transaction data, and reconciled\n                                               to determine the completeness of data\n                                               entry.\n                                               Scanned policies and procedures to       No Relevant Exceptions Noted\n                                               determine whether such policies\n                                               require record counts and control\n                                               totals to be established over and\n                                               entered with batch transaction data,\n                                               and reconciled to determine the\n                                               completeness of data entry.\n.                                              Scanned record counts and control        No Relevant Exceptions Noted\n                                               totals to confirm they are established\n                                               over and entered with batch\n                                               transaction data, and reconciled to\n                                               determine the completeness of data\n                                               entry.\n6.2   Trailer labels or control records        Confirmed through corroborative          No Relevant Exceptions Noted\n      containing record counts and control     inquiry with appropriate TSO office\n      totals are generated for all computer    management and functional users,\n      files and tested by application          that trailer labels or control records\n      programs to determine that all           containing record counts and control\n      records have been processed.             totals are generated for computer\n                                               files and tested by application\n                                               programs to determine that records\n                                               have been processed successfully.\n                                               Scanned policies and procedures and      No Relevant Exceptions Noted\n                                               to confirm that trailer labels or\n                                               control records containing record\n                                               counts and control totals are required\n                                               to be generated for computer files\n                                               and tested by application programs to\n                                               determine that records have been\n                                               processed successfully.\n                                               Scanned trailer labels or control        No Relevant Exceptions Noted\n                                               records containing record counts and\n\n\n\n                                              62\n\x0c                                              control totals to confirm they are\n                                              generated for computer files and\n                                              tested by application programs to\n                                              determine that records have been\n                                              processed successfully.\n6.3   A data processing control group         Confirmed through corroborative          No Relevant Exceptions Noted\n      receives and reviews control total      inquiry with appropriate payroll\n      reports, and determines the             office management and functional\n      completeness of processing.             users, that a data processing control\n                                              group receives and reviews control\n                                              total reports, and determines the\n                                              completeness of processing.\n                                              Scanned policies and procedures to       No Relevant Exceptions Noted\n                                              confirm that a data processing control\n                                              group is required to receive and\n                                              review control total reports, and\n                                              determine the completeness of\n                                              processing.\n                                              Scanned the Personnel Interface          Although testing confirmed that\n                                              Invalid report to confirm a data         reports are reviewed and worked on\n                                              processing control group receives        daily basis, we noted that corrective\n                                              and reviews control total reports, and   actions are not sufficiently\n                                              determines the completeness of           documented and that the preparer or\n                                              processing.                              supervisor sign-off is not consistently\n                                                                                       applied.\n6.4   Reconciliations are performed to        Confirmed through corroborative          No Relevant Exceptions Noted\n      determine the completeness of           inquiry with appropriate payroll\n      transactions processed, master files    office management and functional\n      updated, and outputs generated.         users, that reconciliations are\n                                              performed to determine the\n                                              completeness of transactions\n                                              processed, master files updated, and\n                                              outputs generated.\n                                              Scanned policies and procedures to       Policies and procedures are not\n                                              confirm that reconciliations are to be   detailed with specific guidance\n\n\n\n                                             63\n\x0c                                               performed to determine the                requiring \xe2\x80\x9c592\xe2\x80\x9d reconciliations be\n                                               completeness of transactions              performed and how to handle\n                                               processed, master files updated, and      reconciling items. However, our\n                                               outputs generated.                        testing confirms that reconciling\n                                                                                         items are completed appropriately\n                                               Inspected haphazard sample of             No Relevant Exceptions Noted\n                                               \xe2\x80\x9c592\xe2\x80\x9d reconciliations to confirm that\n                                               they are performed to determine the\n                                               completeness of transactions\n                                               processed, master files updated, and\n                                               outputs generated.\n6.5   Computer-generated control totals        Confirmed through corroborative           No Relevant Exceptions Noted\n      (run-to-run totals) are automatically    inquiry with appropriate TSO office\n      reconciled between jobs to check for     management and functional users,\n      completeness of processing               that computer-generated control\n                                               totals (run-to-run totals) are\n                                               automatically reconciled between\n                                               jobs to check for completeness of\n                                               processing.\n                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                               confirm that computer-generated\n                                               control totals (run-to-run totals) are\n                                               required to be automatically\n                                               reconciled between jobs to check for\n                                               completeness of processing.\n                                               Scanned record counts and control         No Relevant Exceptions Noted\n                                               totals to confirm they are established\n                                               over and entered with transaction\n                                               data, and reconciled to determine the\n                                               completeness of data entry.\n6.6   System interfaces require that the       Confirmed through corroborative           No Relevant Exceptions Noted\n      sending system\'s output control          inquiry with appropriate TSO office\n      counts equal the receiving system\'s      management and functional users,\n      determined input counts.                 that system interfaces require that the\n                                               sending system\'s output control\n\n\n\n                                              64\n\x0c                                                                                     counts equal the receiving systems\n                                                                                     determined input counts.\n                                                                                     Scanned policies and procedures to      No Relevant Exceptions Noted\n                                                                                     confirm that system interfaces\n                                                                                     require that the sending system\'s\n                                                                                     output control counts equal the\n                                                                                     receiving system\'s determined input\n                                                                                     counts.\n                                                                                     Scanned record counts and control       No Relevant Exceptions Noted\n                                                                                     totals to confirm interfaces require\n                                                                                     that the sending system\'s output\n                                                                                     control counts equal the receiving\n                                                                                     system\'s determined input counts.\n6.7                                       Program code for data validation and       Confirmed through corroborative         No Relevant Exceptions Noted\n                                          editing, and associated tables or files    inquiry with appropriate TSO office\n                                          are protected from unauthorized            management and functional users,\n                                          modifications.                             that program code for data validation\n                                                                                     and editing and associated tables or\n                                                                                     files are protected from unauthorized\n                                                                                     modifications.\n                                                                                     Scanned policies and procedures to      No Relevant Exceptions Noted\n                                                                                     determine whether such policies\n                                                                                     require program code for data\n                                                                                     validation and editing and associated\n                                                                                     tables or files to be protected from\n                                                                                     unauthorized modifications.\n                                                                                     Scanned access logs to confirm only     No Relevant Exceptions Noted\n                                                                                     users authorized have access to the\n                                                                                     system software.\n\nControl Objective APP-7                   Control Activity                           Test of Controls                        Test Results\nControls are reasonable to ensure that    The data processing control group, or      Confirmed through corroborative         No Relevant Exceptions Noted\ntransactions from interfacing systems     some alternative                           inquiry with appropriate payroll\nare subjected to the payroll system       \xe2\x80\xa2has a schedule by application that        office management and functional\nedits, validations and error-correction   shows when outputs are to be               users, the data processing control\n\n\n\n                                                                                    65\n\x0cprocedures. Data validation and         completed, when they need to be         group, or some alternative\nediting are performed to identify       distributed, who the recipients are,    \xe2\x80\xa2 Has a schedule by application\nerroneous data. Erroneous data are      and the copies needed;                      that shows when outputs are to\ncaptured, reported, investigated, and   \xe2\x80\xa2reviews output products for general        be completed, when they need to\ncorrected.                              acceptability; and                          be distributed, who the recipients\n                                        \xe2\x80\xa2reconciles control information to          are, and the copies needed;\n                                        determine completeness of               \xe2\x80\xa2 Reviews output products for\n                                        processing.                                 general acceptability; and\n                                                                                \xe2\x80\xa2 Reconciles control information\n                                                                                    to determine completeness of\n                                                                                    processing.\n                                                                                Scanned policies and procedures to       Policies and procedures are not\n                                                                                confirm that the data processing         detailed with specific guidance\n                                                                                control group, or some alternative       requiring that management monitor\n                                                                                \xe2\x80\xa2 Have a schedule by application         disbursing schedules. However, we\n                                                                                    that shows when outputs are to       observed the performance of\n                                                                                    be completed, when they need to      procedures that indicate management\n                                                                                    be distributed, who the recipients   is monitoring disbursing schedules.\n                                                                                    are, and the copies needed;\n                                                                                \xe2\x80\xa2 Review output products for\n                                                                                    general acceptability; and\n                                                                                \xe2\x80\xa2 Reconcile control information to\n                                                                                    determine completeness of\n                                                                                    processing.\n                                                                                Scanned haphazard sample of              No Relevant Exceptions Noted\n                                                                                schedules used by the data processing\n                                                                                group, and noted\n                                                                                \xe2\x80\xa2 Has a schedule by application\n                                                                                    that shows when outputs need to\n                                                                                    be completed, when they need to\n                                                                                    be distributed, who the recipients\n                                                                                    are, and the copies needed;\n                                                                                \xe2\x80\xa2 Reviews output products for\n                                                                                    general acceptability; and\n                                                                                \xe2\x80\xa2 Reconciles control information\n\n\n\n                                                                               66\n\x0c                                                    to determine completeness of\n                                                    processing.\n7.2   Printed reports contain a title page     Confirmed through corroborative           No Relevant Exceptions Noted\n      with report name, time and date of       inquiry with appropriate payroll\n      production, the processing period        office management and functional\n      covered; and have an "end-of-report"     users, printed reports contain a title\n      message.                                 page with report name, time and date\n                                               of production, the processing period\n                                               covered; and have an "end-of-report"\n                                               message.\n                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                               confirm printed reports are required\n                                               to contain a title page with report\n                                               name, time and date of production,\n                                               the processing period covered; and\n                                               have an "end-of-report" message\n                                               Scanned haphazard sample of printed       No Relevant Exceptions Noted\n                                               reports to confirm they contain a title\n                                               page with report name, time and date\n                                               of production, the processing period\n                                               covered;\n7.3   Each output produced is logged,          Confirmed through corroborative           No Relevant Exceptions Noted\n      manually if not automatically,           inquiry with appropriate payroll\n      including the recipient(s) who           office management and functional\n      receive the output. Each transmission    users, each output produced is\n      of output to a user\'s terminal device    logged, manually if not\n      is also logged.                          automatically, including the\n                                               recipient(s) who receive the output.\n                                               Each transmission of output to a\n                                               user\'s terminal device is also logged\n                                               Scanned policies and procedures to        Policies and procedures are not\n                                               confirm that each output produced is      detailed with specific guidance\n                                               to be logged, manually if not             requiring that each output be logged\n                                               automatically, including the              including the user\xe2\x80\x99s terminal and the\n                                               recipient(s) who receive the output.      recipient However, we observed the\n\n\n\n                                              67\n\x0c                                               Each transmission of output to a         performance of procedures that\n                                               user\'s terminal device is also logged.   indicate these reports are being\n                                                                                        reviewed regularly.\n                                               Observed MECSAR to confirm               No Relevant Exceptions Noted\n                                               reports are logged, manually if not\n                                               automatically, including the\n                                               recipient(s) who receive the output.\n                                               Each transmission of output to a\n                                               user\'s terminal device is also logged\n7.4   A control log of output product errors   Confirmed through corroborative          No Relevant Exceptions Noted\n      is maintained, including the             inquiry with appropriate payroll\n      corrective actions taken.                office management and functional\n                                               users, a control log of output product\n                                               errors is maintained, including the\n                                               corrective actions taken\n                                               Scanned policies and procedures to       No Relevant Exceptions Noted\n                                               identify the requirement for a control\n                                               log of output product errors are to be\n                                               maintained, including the corrective\n                                               actions taken.\n                                               Scanned the Personnel Interface          Although testing confirmed that\n                                               Invalid report of missing or duplicate   reports are reviewed and worked on\n                                               transactions to confirm it is            daily basis, we noted that corrective\n                                               maintained, including the corrective     actions are not sufficiently\n                                               actions taken.                           documented.\n7.5   Output from reruns is subjected to       Confirmed through corroborative          No Relevant Exceptions Noted\n      the same quality review as the           inquiry with appropriate payroll\n      original output.                         office management and functional\n                                               users, output from reruns are\n                                               subjected to the same quality review\n                                               as the original output.\n                                               Scanned policies and procedures to       No Relevant Exceptions Noted\n                                               confirm that output from reruns are\n                                               subjected to the same quality review\n                                               as the original output.\n\n\n\n                                           68\n\x0c                                               Scanned Personnel Interface Invalid        No Relevant Exceptions Noted\n                                               report to confirm it is subjected to the\n                                               same quality review as the original\n                                               output.\n7.6   Users review output reports for data     Confirmed through corroborative            No Relevant Exceptions Noted\n      accuracy, validity, and completeness.    inquiry with appropriate payroll\n      The reports include:                     office management and functional\n      \xe2\x80\xa2error reports                           users, users review output reports for\n      \xe2\x80\xa2master record change reports, and,      data accuracy, validity, and\n      \xe2\x80\xa2exception reports                       completeness. The reports include:\n                                                \xe2\x80\xa2 Error reports;\n                                                \xe2\x80\xa2 Master record change reports;\n                                                \xe2\x80\xa2 Exception reports.\n                                               Scanned policies and procedures and        Policies and procedures are not\n                                               noted users review output reports for      detailed with specific guidance\n                                               data accuracy, validity, and               requiring that users review output\n                                               completeness. The reports include:         reports for accuracy, validity, and\n                                               \xe2\x80\xa2 Error reports                            completeness. However, we observed\n                                               \xe2\x80\xa2 Master record change reports;            the performance of procedures that\n                                               \xe2\x80\xa2 Exception reports.                       indicate reports are reviewed for\n                                                                                          validity and completeness.\n                                               Scanned Personnel Interface Invalid        No Relevant Exceptions Noted\n                                               report users review for accuracy,\n                                               validity, and completeness. The\n                                               reports include:\n                                               \xe2\x80\xa2 Error reports;\n                                               \xe2\x80\xa2 Master record change reports;\n                                               \xe2\x80\xa2 Exception reports.\n7.7   For on-line or real-time systems,        Confirmed through corroborative            No Relevant Exceptions Noted\n      record count and control totals are      inquiry with appropriate TSO office\n      accumulated progressively for a          management and functional users, for\n      specific time period (daily or more      on-line or real-time systems, record\n      frequently) and are used to help         count and control totals are\n      determine the completeness or data       accumulated progressively for a\n      entry and processing.                    specific time period (daily or more\n\n\n\n                                              69\n\x0c                                                                               frequently) and are used to help\n                                                                               determine the completeness or data\n                                                                               entry and processing.\n                                                                               Scanned policies and procedures to        No Relevant Exceptions Noted\n                                                                               confirm that on-line or real-time\n                                                                               systems, record count and control\n                                                                               totals are required to be accumulated\n                                                                               progressively for a specific time\n                                                                               period (daily or more frequently) and\n                                                                               are used to help determine the\n                                                                               completeness or data entry and\n                                                                               processing.\n                                                                               Scanned record counts and control         No Relevant Exceptions Noted\n                                                                               total interface files to confirm they\n                                                                               are accumulated progressively for a\n                                                                               specific time period (daily or more\n                                                                               frequently) and are used to help\n                                                                               determine the completeness or data\n                                                                               entry and processing.\n\nControl Objective APP-8                 Control Activity                       Test of Controls                           Test Results\nControls provide reasonable assurance   All documents and storage media are    Confirmed through corroborative            No Relevant Exceptions Noted\nthat personnel payroll records and      stored in physically and               inquiry with appropriate payroll office\nother sensitive information is          environmentally secure containers.     management and functional users,\nmaintained and disposed of in                                                  documents and storage media are\naccordance with Government-wide                                                stored in physically and\nand agency specific guidelines.                                                environmentally secure containers.\n                                                                               Scanned policies and procedures to         No Relevant Exceptions Noted\n                                                                               confirm that documents and storage\n                                                                               media are stored in physically and\n                                                                               environmentally secure containers.\n                                                                               Observed storage processes to confirm      No Relevant Exceptions Noted\n                                                                               documents and storage media are\n                                                                               stored properly in environmentally\n                                                                               secure containers.\n\n\n\n                                                                              70\n\x0c8.2   The system maintains and/or               Confirmed through corroborative             No Relevant Exceptions Noted\n      disposes of personnel and payroll         inquiry with appropriate payroll office\n      records in accordance with                management and functional users, the\n      government-wide and agency-               system maintains personnel and payroll\n      specific guidelines.                      records in accordance with\n                                                government-wide and agency-specific\n                                                guidelines.\n                                                Scanned policies and procedures to          No Relevant Exceptions Noted\n                                                confirm that the system is required to\n                                                maintain personnel and payroll records\n                                                in accordance with government-wide\n                                                and agency-specific guidelines.\n                                                Observed the personnel and payroll          No Relevant Exceptions Noted\n                                                record storage processes to confirm the\n                                                system maintains personnel and payroll\n                                                records in accordance with\n                                                government-wide and agency-specific\n                                                guidelines.\n8.3   All visitors to the Payroll Office must   Confirmed through corroborative             No Relevant Exceptions Noted\n      sign-in and out with the authorized       inquiry with appropriate payroll office\n      security personnel.                       management and functional users,\n                                                visitors to the Payroll Office must sign-\n                                                in and out with the authorized security\n                                                personnel.\n                                                Scanned policies and procedures to          No Relevant Exceptions Noted\n                                                confirm that visitors to the Payroll\n                                                Office must sign-in and out with the\n                                                authorized security personnel.\n                                                Scanned visitor log to the payroll office   No Relevant Exceptions Noted\n                                                to confirm that visitors must sign-in\n                                                and with the authorized security\n                                                personnel.\n8.4   All terminals and payroll records are     Confirmed through corroborative             No Relevant Exceptions Noted\n      located in physically secured             inquiry with appropriate payroll office\n      locations.                                management and functional users,\n\n\n\n                                              71\n\x0c                                          terminals and payroll records are\n                                          located in physically secured locations.\n                                          Scanned policies and procedures to         No Relevant Exceptions Noted\n                                          confirm that terminals and payroll\n                                          records are located in physically\n                                          secured locations.\n                                          Toured and observed the terminal           No Relevant Exceptions Noted\n                                          rooms to confirm they are physically\n                                          secure.\n8.5   Users maintain and/or dispose of    Confirmed through corroborative            No Relevant Exceptions Noted\n      personnel and payroll records in    inquiry with appropriate payroll office\n      accordance with government-wide     management and functional users, that\n      and agency-specific guidelines.     users maintain and/or dispose of\n                                          personnel and payroll records in\n                                          accordance with government-wide and\n                                          agency-specific guidelines.\n                                          Scanned policies and procedures to         No Relevant Exceptions Noted\n                                          confirm that users maintain and/or\n                                          dispose of personnel and payroll\n                                          records in accordance with\n                                          government-wide and agency-specific\n                                          guidelines.\n                                          Observed destruction bins to confirm       No Relevant Exceptions Noted\n                                          that payroll records are disposed of in\n                                          accordance with government-wide and\n                                          agency-specific guidelines.\n\n\n\n\n                                         72\n\x0cSecurity Design and Configuration Availability (SDCA)\n\nControl Objective SDCA-1               Control Activity                            Test of Controls                     Test Results\nProcedural Review - An annual IA       DOD and DFAS policy both direct an          Scanned DECC ME System               DECC ME \xe2\x80\x93 The Risk Assessment\nreview is conducted that               annual Information assurance review.        Readiness Reports (SRR) and          has been performed, however it is not\ncomprehensively evaluates existing     Review appropriate generated                corroborated IA reviews for SRR      in total compliance with DoD 8510.1-\npolicies and processes to ensure       documentation to ensure that these          process with Information Assurance   M. SRR reviews are regularly\nprocedural consistency and to ensure   processes are accomplished.                 Manager. Scanned Residual Risk       performed which may detect non-\nthat they fully support the goal of                                                Assessment for DCPS SSAA re-         items that are non-compliant with\nuninterrupted operations.                                                          accreditation and corroborated the   DISA standards.\n                                                                                   review process with DCPS ISSO.\n                                                                                                                        TSOPE \xe2\x80\x93 DCPS does not perform\n                                                                                                                        annual Information Assurance\n                                                                                                                        reviews. However DCPS is audited\n                                                                                                                        each year by various entities and the\n                                                                                                                        scope of the reviews materially\n                                                                                                                        covers the information required by\n                                                                                                                        the objective.\n\nControl Objective SDCA-2               Control Activity                        Test of Controls                         Test Results\nCompliance Testing - A                 Procedures addressing the testing of    Scanned the security test and            No Relevant Exceptions Noted\ncomprehensive set of procedures is     patches, upgrades, and new AIS          evaluation guidelines as listed in the\nimplemented that tests all patches,    applications are documented.            DECC ME SSAA and the DCPS\nupgrades, and new AIS applications                                             SSAA and scanned the Change\nprior to deployment.                                                           Management Plan included in the\n                                                                               SSAA to confirm test procedures are\n                                                                               included in the procedures.\n\nControl Objective SDCA-3               Control Activity                        Test of Controls                         Test Results\nPorts, Protocols, and Services -       DECC ME follows the processes and       Gathered network traffic through the     Extraneous services are in operation\nDoD information systems comply         controls enumerated in the STIGs        use of Securify monitoring points        on all three Logical Partitions and the\nwith DoD ports, protocols, and         which mirror DoD policy and             positioned on the DISA network and       enclave is not in compliance with the\nservices guidance. AIS applications,   guidance.                               analyzed the network traffic to          DoD Ports, Protocols and Services\noutsourced IT-based processes and                                              confirm whether the DCPS ports,          guidance. However the risks posed\n\n\n\n                                                                              73\n\x0cplatform IT identify the network             protocols, and services are in       by these services are mitigated by the\nports, protocols, and services they          accordance with DISA STIGS, DOD      other security controls in place at\nplan to use as early in the life cycle as    Guidance and regulations regarding   DECC ME. Additionally, the\npossible and notify hosting enclaves.        the appropriate usage of ports       application level controls noted\nEnclaves register all active ports,          protocols and services.              elsewhere in this report provide\nprotocols, and services in accordance                                             mitigating controls.\nwith DoD and DoD Component\nguidance.\n\n\n\n\n                                            74\n\x0cSecurity Design and Configuration Integrity (SDCI)\n\nControl Objective SDCI\xe2\x80\x931              Control Activity                          Test of Controls                        Test Results\nControl Board - All information       All changes to information systems at     Scanned the policies and procedures     We noted ESCCB meeting notes are\nsystems are under the control of a    DISA DECC-ME are brought before           for the Executive Software Change       not maintained for the weekly\nchartered Configuration Control       at least one of two Change Control        Control Board (ESCCB) to confirm        meetings and the local CCB charter\nBoard (CCB) that meets regularly.     Boards (CCBs). DISA headquarters          the ESCCB meets on a weekly basis       could not be located Through\nThe Information Assurance Manager     has Executive software CCB which is       and minutes are maintained.             corroborative inquiry, we noted that\n(IAM) is a member of the CCB.         responsible for reviewing all major       Inspected a haphazard sample of local   major software changes are evaluated\n                                      system changes such as new versions,      CCB meeting notes to confirm the        by the ESCCB prior to\n                                      new software, and the removal of          notes include of a list of the open     implementation and minor changes\n                                      software. There is also a local CCB at    change requests to be discussed or      and updates are evaluated by the local\n                                      DISA DECC-ME that meets on a              that were discussed at the meeting.     CCB prior to implementation.\n                                      weekly basis. The local CCB is\n                                      responsible for reviewing all\n                                      operating system upgrades and fixes.\n                                      The local CCB is also responsible for\n                                      alerting the customer to the change\n                                      and obtaining the customer approval\n                                      before proceeding. Also, the local\n                                      CCB is responsible for maintaining\n                                      the change control records.\n\n                                      The DISA Executive Software CCB\n                                      consists of representative of DISA\n                                      management as well as all the DISA-\n                                      DECCs. The DISA DECC-ME local\n                                      CCB consists of all department heads\n                                      and the Information Assurance\n                                      Manager (IAM)\n\n\n\n\n                                                                               75\n\x0cControl Objective SDCI-2               Control Activity                        Test of Controls                        Test Results\nConfiguration Specifications - A       DISA has developed and requires         Scanned the appropriate DISA STIGS      Although the enclave and the\nDoD reference document such as a       compliance with the Security            and configuration documentation to      application is in compliance with\nsecurity technical implementation      Technical Implementation Guides         determine compliance with the           certain components of the DISA\nguide or security recommendation       appropriate to the operating system,    configuration specifications.           issued STIGs, the enclave and\nguide constitutes the primary source   application or hardware.                Analyzed the gathered network traffic   application are not in full compliance\nfor security configuration or                                                  to determine the compliance of the      with the STIGs. Through our other\nimplementation guidance for the                                                operating system with the               testing noted throughout this report,\ndeployment of newly acquired IA-                                               specifications.                         we observed there are multiple\nand IA-enabled IT products that                                                                                        compensating security controls and\nrequire use of the product\'s IA                                                                                        application level controls that would\ncapabilities. If a Departmental                                                                                        mitigate the material risk of these\nreference document is not available,                                                                                   noncompliant items.\nthe system owner works with DISA or\nNSA to draft configuration guidance\nfor inclusion in a DoD reference\nguide.\n\n\n\n\n                                                                              76\n\x0cControl Objective SDCI-3                 Control Activity                          Test of Controls                         Test Results\nDedicated IA Services - Acquisition      Business processes supported by           Inspected appropriate Service Level      No Relevant Exceptions Noted\nor outsourcing of dedicated IA           private sector information                Agreements to determine the roles\nservices such as incident monitoring,    systems and outsourced information        and responsibilities of the FSO.\nanalysis and response; operation of IA   technologies                              Scanned the FSO reports to determine\ndevices, such as firewalls; or key       shall be reviewed and managed             incident monitoring and response,\nmanagement services are supported        relative to contributions                 operation of IA devices.\nby a formal risk analysis and            to mission outcomes and strategic\napproved by the DoD Component            goals and objectives,\nCIO.                                     in accordance with 40 U.S.C. Sections\n                                         1423 and 1451. Data shall be\n                                         collected to support reporting and IA\n                                         management activities across the\n                                         investment life cycle.\n\nControl Objective SDCI-4                 Control Activity                          Test of Controls                         Test Results\nInterconnection Documentation -          All interconnections of DoD               Inspected C4ISP documentation and        Several undocumented interfaces\nFor AIS applications, a list of all      information systems                       compared with the information            have been observed communicating\n(potential) hosting enclaves is          are be managed to continuously            provided in the application SSAA.        with DCPS. However, the amount\ndeveloped and maintained along with      minimize community                        Analyzed the network traffic gathered    and types of traffic noted do not alone\nevidence of deployment planning and      risk by ensuring that the assurance of    by the Securify monitoring point to      constitute a material level of risk to\ncoordination and the exchange of         one system is not undermined by           identify the systems by IP address via   the application or the enclave. We\nconnection rules and requirements.       vulnerabilities of interconnected         the central registry and check the       observed compensating controls such\nFor enclaves, a list of all hosted AIS   systems                                   results against the information          as the intrusion detection systems and\napplications, interconnected                                                       provided by the application SSO.         the event exception reports that are\noutsourced IT-based processes, and                                                                                          reviewed by the appropriate managers\ninterconnected IT platforms is                                                                                              that mitigate this risk.\ndeveloped and maintained along with\nevidence of deployment planning and\ncoordination and the exchange of\nconnection rules and requirements.\n\n\n\n\n                                                                                  77\n\x0cControl Objective SDCI-5                Control Activity                          Test of Controls                         Test Results\nImpact Assessment - Changes to the      All changes made at DISA DECC-            Inspected the policies and procedures    Policies and procedures are in place to\nDoD information system are assessed     ME are captured in the Change             for the ESCCB to confirm changes         test changes prior to implementation\nfor IA and accreditation impact prior   Management System (Change                 are assessed for Information             in the production environment.\nto implementation.                      Management 2000). Information             Assurance prior to implementation.       However, appropriate paperwork\n                                        included in each change record is the                                              documenting the test procedures and\n                                        requested time and date of                                                         results is not maintained. Through\n                                        implementation, the action to occur,                                               corroborative inquiry, we noted\n                                        and justification of the action. The                                               testing procedures were performed on\n                                        change is then presented to the CCB                                                the two logical partitions solely\n                                        where the change is assessed for IA                                                dedicated to testing the application\n                                        and accreditation impact. The change                                               and the operating system.\n                                        is only implemented after approval                                                 Additionally, we inspected\n                                        from the CCB and testing is                                                        documentary evidence that both of the\n                                        completed and reviewed.                                                            test LPARs are covered by the change\n                                                                                                                           control board which does provide\n                                                                                                                           some documentation regarding the\n                                                                                                                           changes to the test environment.\n\nControl Objective SDCI-6                Control Activity                          Test of Controls                         Test Results\nIA for IT Services - Acquisition or     The service level agreement (SLA)         Scanned the service level agreement      No Relevant Exceptions Noted\noutsourcing of IT services explicitly   between DFAS and DISA DECC-ME             (SLA) between DISA and DFAS to\naddresses Government, service           explicitly states IA roles and            confirm that the agreement defines IA\nprovider, and end user IA roles and     responsibilities for both customer and    responsibilities for DISA, including:\nresponsibilities.                       service provider.                         \xe2\x80\xa2 Protection of all files with\n                                                                                      approved DISA system security\n                                                                                      package in coordination with\n                                                                                      DFAS-HQ;\n                                                                                  \xe2\x80\xa2 Security for the MZF\n                                                                                      environment;\n                                                                                  \xe2\x80\xa2 Security for database software;\n                                                                                  \xe2\x80\xa2 Providing a physically and\n                                                                                      environmentally secure facility in\n                                                                                      accordance with DoD\n\n\n\n                                                                                 78\n\x0c                                                                                   regulations.\n\nControl Objective SDCI-7                Control Activity                       Test of Controls                         Test Results\nNon-repudiation - NIST FIPS 140-2       DECC ME is in the process of           Implemented Securify monitoring          DCPS traffic that is transmitted on\nvalidated cryptography (e.g., DoD       encrypting all data streams to the     points at appropriate network nodes to   external networks is encrypted,\nPKI class 3 or 4 token) is used to      FIPS-140-2 standard.                   view the network traffic flows to        however, DCPS traffic that is\nimplement encryption (e.g., AES,                                               confirm the use of encryption and the    transmitted on internal DoD networks\n3DES, DES, Skipjack), key exchange                                             appropriate implementation of PKI        is not encrypted. We observed\n(e.g., FIPS 171), digital signature                                            within the enclave.                      controls such as authentication\n(e.g., DSA, RSA, ECDSA), and hash                                                                                       mechanisms and intrusion detection\n(e.g., SHA-1, SHA-256, SHA-384,                                                                                         systems that mitigate this risk. In\nSHA-512). Newer standards are to be                                                                                     addition, the ability to capture,\napplied as they become available.                                                                                       identify, modify, and reinsert\n                                                                                                                        unencrypted DCPS data traffic would\n                                                                                                                        be technically difficult to accomplish.\n\n\nControl Objective SDCI-8                Control Activity                       Test of Controls                         Test Results\nChange Management Process - A           There is a defined configuration       Scanned the Configuration                36 of 45 sampled changes were\nconfiguration management (CM)           management (CM) process in place at    Management policies included in the      initiated into production by the\nprocess is implemented that includes    DISA DECC-ME. The process is           SSAA. Inspected a haphazard sample       requestor. Through corroborative\nrequirements for:                       documented in the SSAA under           of changes to confirm DISA change        inquiry, we determined that all\n\xe2\x80\xa2 Formally documented CM roles,         Appendix S \xe2\x80\x93 Change Management         management processes were                changes must be loaded into the\n    responsibilities, and procedures    Plan. Included in the plan are:        followed.                                scheduling software in order to be\n    to include the management of IA     \xe2\x80\xa2 Formally documented CM roles,                                                 implemented into production. The\n    information and documentation;          responsibilities and procedures                                             requestors noted in our exceptions do\n\xe2\x80\xa2 A configuration control board             including management of IA                                                  not have access to the scheduling\n    that implements procedures to           information and documentation;                                              software. The individuals who\n    ensure a security review and        \xe2\x80\xa2 The detailed role of the Change                                               perform the scheduling review the\n    approval of all proposed DoD            Control Board (CCB) including                                               change to determine whether it was\n    information system changes, to          its roles for reviewing and                                                 approved by the CCB.\n    include interconnections to other       approving changes;\n    DoD information systems;            \xe2\x80\xa2 The testing process that all                                                  We also noted 5 of 45 sampled\n\xe2\x80\xa2 A testing process to verify               changes must go through,                                                    changes were documented as having\n    proposed configuration changes          including the migration of the                                              been implemented without testing.\n\n\n\n                                                                              79\n\x0c    prior to implementation in the          change from the development                                                      However, our subsequent\n    operational environment; and            region to the testing region, and                                                corroborative inquiry of this\n\xe2\x80\xa2   A verification process to provide       the testing region to production;                                                exception noted that testing had been\n    additional assurance that the CM    \xe2\x80\xa2   Steps for reviewing the CM                                                       performed, however, the wrong box\n    process is working effectively          process to ensure its operation                                                  in the change management\n    and that changes outside the CM         effectiveness.                                                                   documentation had been completed.\n    process are technically or\n    procedurally not permitted.\n\nControl Objective SDCI-9                Control Activity                            Test of Controls                         Test Results\nSystem Library Management               The DISA System Support Office              Inspected the Executive Software         No Relevant Exceptions Noted\nControls - System libraries are         (SSO), a unit independent of DECC           Plan and observed the system libraries\nmanaged and maintained to protect       operations, is responsible for              maintenance process to confirm the\nprivileged programs and to prevent or   maintaining the system libraries.           SSO is maintaining the libraries.\nminimize the introduction of            Access to system libraries is restricted    Scanned the access list for personnel\nunauthorized code.                      to authorized individuals.                  with access to the system libraries on\n                                                                                    the MZF LPAR from Information\n                                                                                    Systems to confirm that access to the\n                                                                                    system libraries is restricted to the\n                                                                                    Operating Systems Section personnel.\n\n\n\n\n                                                                                   80\n\x0cSecurity Design and Configuration Confidentiality (SDCC)\n\nControl Objective SDCC-1                  Control Activity                        Test of Controls                      Test Results\nAcquisition Standards - The               The SSO is responsible for reviewing    Scanned the policies and procedures   No Relevant Exceptions Noted\nacquisition of all IA- and IA-enabled     and approving all COTS IT products.     regarding the acquisition of COTS\nIT products is limited to products that                                           products to confirm that the DISA\nhave been evaluated by the NSA or in                                              SSO reviews all acquisitions that\naccordance with NSA-approved                                                      reflect changes to the software\nprocesses. The acquisition of all IA-                                             baseline.\nand IA-enabled COTS IT products is\nlimited to products that have been\nevaluated or validated through one of\nthe following sources \xe2\x80\x93 the\nInternational Common Criteria (CC)\nfor Information Security Technology\nEvaluation Mutual Recognition\nArrangement, the NIAP Evaluation\nand Validation Program, or the FIPS\nvalidation program. Robustness\nrequirements, the mission, and\ncustomer needs will enable an\nexperienced information systems\nsecurity engineer to recommend a\nProtection Profile, a particular\nevaluated product or a security target\nwith the appropriate assurance\nrequirements for a product to be\nsubmitted for evaluation.\n\n\n\n\n                                                                                 81\n\x0cControl Objective SDCC-2                Control Activity                          Test of Controls                         Test Results\nSpecified Robustness \xe2\x80\x93 At a             Appropriate IA products are               Implemented Securify monitoring          DCPS traffic that is transmitted on\nminimum, medium-robustness COTS         implemented to protect sensitive          points at appropriate network nodes to   external networks is encrypted,\nIA and IA-enabled products are used     information when the information          view the network traffic flows and to    however, DCPS traffic that is\nto protect sensitive information when   transits public networks or the system    determine what IA and IA enabled         transmitted on internal DoD networks\nthe information transits public         handling the information is accessible    products are used to protect sensitive   is not encrypted. We observed\nnetworks or the system handling the     by individuals who are not authorized     information in transit and at rest.      controls such as authentication\ninformation is accessible by            to access the information on the                                                   mechanisms and intrusion detection\nindividuals who are not authorized to   system.                                                                            systems that mitigate this risk. In\naccess the information on the system.                                                                                      addition, the ability to capture,\nThe medium-robustness requirements                                                                                         identify, modify, and reinsert DCPS\nfor products are defined in the                                                                                            data traffic would be technically\nProtection Profile Consistency                                                                                             difficult to accomplish.\nGuidance for Medium Robustness\npublished under the IATF.\n\nCOTS IA and IA-enabled IT products\nused for access control, data\nseparation, or privacy on sensitive\nsystems already protected by\napproved medium-robustness\nproducts, at a minimum, satisfy the\nrequirements for basic robustness. If\nthese COTS IA and IA-enabled IT\nproducts are used to protect National\nSecurity Information by\ncryptographic means, NSA-approved\nkey management may be required.\n\n\n\n\n                                                                                 82\n\x0cIdentification and Authentication Integrity (IAC)\n\nControl Objective IAC-1                    Control Activity                         Test of Controls                         Test Results\nGroup Identification and                   The use of Public Key Infrastructure     Implemented Securify monitoring          Our testing noted managers are\nAuthentication - Group                     (PKI) certificates and biometrics for    points at appropriate network nodes to   sharing user IDs in special\nauthenticators for application or          positive authentication shall be in      confirm group authenticators for         circumstances. These IDs only have\nnetwork access may be used only in         accordance with published DoD            application or network access are only   limited access capabilities to perform\nconjunction with an individual             policy and procedures. These             used in conjunction with an individual   certain limited payroll functions. Our\nauthenticator. Any use of group            technologies shall be incorporated in    authenticator.                           corroborative inquiry noted the\nauthenticators not based on the DoD        all new acquisitions and upgrades                                                 personnel sharing the IDs are\nPKI has been explicitly approved by        whenever possible. Where                                                          authorized to do so and that other\nthe Designated Approving Authority         interoperable PKI is required for the                                             mitigating application controls, such\n(DAA).                                     exchange of unclassified information                                              as exception reporting, are in place.\n                                           with vendors and contractors, the\n                                           Department of Defense shall only\n                                           accept PKI certificates obtained from\n                                           a DoD-approved external certificate\n                                           authority or other mechanisms\n                                           approved in accordance with DoD\n                                           policy.\n\nControl Objective IAC-2                    Control Activity                         Test of Controls                         Test Results\n Individual Identification and             DISA user IDs and passwords are          Implemented Securify monitoring          Our testing noted managers are\nAuthentication - DoD information           configured according to DISA             points at appropriate network nodes to   sharing user IDs in special\nsystem access is gained through the        standards.                               confirm system access is gained          circumstances. These IDs only have\npresentation of an individual identifier                                            through the presentation of an           limited access capabilities to perform\n(e.g., a unique token or user login ID)                                             individual identifier and password.      certain limited payroll functions. Our\nand password. For systems utilizing a                                                                                        corroborative inquiry noted the\nlogon ID as the individual identifier,                                                                                       personnel sharing the IDs are\npasswords are, at a minimum, a case                                                                                          authorized to do so and that other\nsensitive 8-character mix of upper                                                                                           application controls, such as\ncase letters, lower case letters,                                                                                            exception reporting, are in place.\n\n\n\n                                                                                   83\n\x0cnumbers, and special characters,\nincluding at least one of each. At least\nfour characters must be changed when\na new password is created.\nDeployed/tactical systems with\nlimited data input capabilities\nimplement the password to the extent\npossible. Registration to receive a\nuser ID and password includes\nauthorization by a supervisor, and is\ndone in person before a designated\nregistration authority. Additionally, to\nthe extent system capabilities permit,\nsystem mechanisms are implemented\nto enforce automatic expiration of\npasswords and to prevent password\nreuse. All factory set, default or\nstandard-user IDs and passwords are\nremoved or changed. Authenticators\nare protected commensurate with the\nclassification or sensitivity of the\ninformation accessed; they are not\nshared; and they are not embedded in\naccess scripts or stored on function\nkeys. Passwords are encrypted both\nfor storage and for transmission.\n\n\n\n\n                                           84\n\x0cEnclave and Computing Environment Availability (ECEA)\n\nControl Objective ECEA-1                 Control Activity                            Test of Controls                          Test Results\nVirus Protection - All servers,          Anti-virus software is installed on all     Inspected all servers and a haphazard     No Relevant Exceptions Noted\nworkstations and mobile computing        PCs, laptops, and systems under             sample of workstations at each site for\ndevices implement virus protection       DECC-ME control, and application            compliance with virus protection\nthat includes a capability for           software specific to the customers          requirements.\nautomatic updates.                       processing requirements is provided\n                                         by either commercial vendors or\n                                         Government CDAs.\n\nEnclave and Computing Environment Integrity (ECEI)\n\nControl Objective ECEI-1                 Control Activity                            Test of Controls                          Test Results\nAudit Trail, Monitoring, Analysis        A security audit trail is implemented       Inspected the logs that are maintained    Audit logs are generated. There is no\nand Reporting - An automated,            for each system that documents the          (both automated and manual) to            end user configurable capability to\ncontinuous on-line monitoring and        identity of each person/device having       confirm that the audit capability is in   disable the system in the event of an\naudit trail creation capability is       access to a system, the time of that        existence and operating according to      IA violation. Our corroborative\ndeployed with the capability to          access, user activity, and any actions      specifications.                           inquiry did note that incident response\nimmediately alert personnel of any       which attempt to change security                                                      capacities do include active\nunusual or inappropriate activity with   levels or privileges established for the                                              management of the network\npotential IA implications, and with a    user.                                                                                 infrastructure that would enable\nuser configurable capability to                                                                                                security and operations personnel to\nautomatically disable the system if                                                                                            disable a system if an IA violation\nserious IA violations are detected                                                                                             was detected.\n\n\n\n\n                                                                                    85\n\x0cControl Objective ECEI-2               Control Activity                        Test of Controls                         Test Results\nPrivileged Account Control - All       Access to the system software is        Inspected a listing of users with        No Relevant Exceptions Noted\nprivileged user accounts are           administered based on roles.            access to the operating system\nestablished and administered in                                                software on the MZF LPAR to\naccordance with a role-based access                                            confirm that access to the datasets is\nscheme that organizes all system and                                           restricted to the Operating Systems\nnetwork privileges into roles (e.g.,                                           Section through comparison to the\nkey management, network, system                                                Organizational Chart.\nadministration, database\nadministration, and web\nadministration). The IAM tracks\nprivileged role assignments.\n                                       Access to the Control M scheduler is    Inspected a listing of all users with    No Relevant Exceptions Noted\n                                       restricted to appropriate operations    access to Control M on MZF to\n                                       personnel.                              confirm that each user is a current\n                                                                               employee and that access appears\n                                                                               reasonable per job function by\n                                                                               comparing to the DISA DECC-ME\n                                                                               Organizational Chart.\n\n\n\n\n                                                                              86\n\x0cEnclave and Computing Environment Confidentiality (ECEC)\n\nControl Objective ECEC\xe2\x80\x931                  Control Activity                          Test of Controls                        Test Results\nAccess for Need-to-Know - Access          Access to all DoD information             Scanned the DCPS SSAA to confirm        No Relevant Exceptions Noted\nto all DoD information is determined      systems is based on a demonstrated        that access to DCPS is unclassified\nby both its classification and user       need-to-know, and granted in              and that users must have a need-to-\nneed-to-know. Need-to-know is             accordance with applicable laws and       know to obtain access.\nestablished by the Information Owner      DoD 5200.2-R for background\nand enforced by discretionary or role-    investigations, special access and IT\nbased access controls.                    position designations and\n                                          requirements.\n\n\nControl Objective ECEC\xe2\x80\x932                  Control Activity                          Test of Controls                        Test Results\nLogon - Successive logon attempts         CA ACF2 is maintained at both DISA        Scanned the weekly reports of access    Password configuration does not\nare controlled using one or more of       ME and the various payroll offices by     denial and observed one of the          comply with DoD 8500.2\nthe following:                            a series of security administrators       security administrators at DISA ME      requirements. However there are\n\xe2\x80\xa2 Access is denied after multiple         with differing roles (administration,     performing three invalid attempts to    additional compensating controls such\n     unsuccessful logon attempts;         user accounts etc.) The logs are          login and then one attempt to use a     as password generational controls,\n\xe2\x80\xa2 The number of access attempts in        centrally reviewed at DISA ME.            valid password.                         password complexity factors, and\n     a given period is limited;           Multiple unsuccessful login attempts                                              multiple levels of access that mitigate\n\xe2\x80\xa2 A time-delay control system is          result in the account being locked. If                                            this exception.\n     employed.                            the account is unused for a specified\n                                          period then the account is deactivated.\nIf the system allows for multiple-\nlogon sessions for each user ID, the\nsystem provides a capability to\ncontrol the number of logon sessions.\n\nControl Objective ECEC\xe2\x80\x933                  Control Activity                          Test of Controls                        Test Results\nLeast Privilege - Access procedures       Privilege accounts are only used by       Inspected privilege account usage       No Relevant Exceptions Noted\nenforce the principles of separation of   DECC ME and DCPS personnel to             logs to confirm accounts only used to\nduties and "least privilege." Access to   create/modify/delete user accounts.       perform create/modify/delete user\nprivileged accounts is limited to                                                   accounts.\n\n\n\n                                                                                  87\n\x0cprivileged users. Use of privileged\naccounts is limited to privileged\nfunctions; that is, privileged users use\nnon-privileged accounts for all non-\nprivileged functions. This control is in\naddition to an appropriate security\nclearance and need-to-know\nauthorization.\n\nControl Objective ECEC\xe2\x80\x934                    Control Activity                            Test of Controls                           Test Results\nMarking and Labeling - Information          Information on DoD systems that             Inspected the DISA DECC-ME data            No Relevant Exceptions Noted\nand DoD information systems that            store, process, transit, or display data    center, including onsite tape storage\nstore, process, transit, or display data    in any format that is not approved for      areas, to confirm that labels indicating\nin any form or format that is not           public release complies with DoD            classification level are affixed to all\napproved for public release comply          policy.                                     computers and storage devices.\nwith all requirements for marking and\nlabeling contained in policy and\nguidance documents, such as DOD\n5200.1R. Markings and labels clearly\nreflect the classification or sensitivity\nlevel, if applicable, and any special\ndissemination, handling, or\ndistribution instructions.\n\nControl Objective ECEC\xe2\x80\x935                    Control Activity                            Test of Controls                           Test Results\nConformance Monitoring and                  DECC ME performs monthly                    Inspected periodic vulnerability scans     No Relevant Exceptions Noted\nTesting - Conformance testing that          vulnerabilities scans. DCPS system          and documentation of system reviews\nincludes periodic, unannounced, in-         and hardware are reviewed by an FSO         to confirm conformance monitoring is\ndepth monitoring and provides for           SRR.                                        in effect.\nspecific penetration testing to ensure\ncompliance with all vulnerability\nmitigation procedures such as the\nDoD IAVA or other DoD IA practices\nis planned, scheduled, and conducted.\nTesting is intended to ensure that the\n\n\n\n                                                                                       88\n\x0csystem\'s IA capabilities continue to\nprovide adequate assurance against\nconstantly evolving threats and\nvulnerabilities.\n\nControl Objective ECEC\xe2\x80\x936                Control Activity                          Test of Controls                          Test Results\nWarning Message - All users are         All DISA networks and platforms           Observed Security Systems Specialist      No Relevant Exceptions Noted\nwarned that they are entering a         present a message to users upon           login into the DISA network and then\nGovernment information system, and      logon, which warns them that they are     into the DCPS.\nare provided with appropriate privacy   entering a Government information         Inspected the text from the login to\nand security notices to include         system, and are provided with             confirm warning message appears\nstatements informing them that they     appropriate privacy and security          upon login.\nare subject to monitoring, recording    notices to include statements\nand auditing.                           informing them that they are subject\n                                        to monitoring, recording and auditing.\n\nControl Objective ECEC\xe2\x80\x937                Control Activity                          Test of Controls                          Test Results\nAccount Control - A comprehensive       User account are suspended after 30       User access administration is tested in   No Relevant Exceptions Noted\naccount management process is           days of no activity, (60 days for TSO     several areas in this report. Scanned\nimplemented to ensure that only         and Payroll offices) and removed          logs of suspended accounts and\nauthorized users can gain access to     after 90 days. Accounts are issued by     removed accounts to confirm\nworkstations, applications, and         local security administrators, User       inactive/terminated/ transferred user\nnetworks and that individual accounts   access administration controls are        accounts are removed.\ndesignated as inactive, suspended, or   tested in multiple sections of this\nterminated are promptly deactivated.    report, including sections APP, IAC,\n                                        ECEI, ECEC, and EBDC.\n\n\n\n\n                                                                                 89\n\x0cEnclave Boundary Defense Availability (EBDA)\n\nControl Objective EBDA-1                 Control Activity                           Test of Controls                       Test Results\nVPN Controls - All VPN traffic is        ISS Real Secure is installed at various    Inspected the technical capabilities   No Relevant Exceptions Noted\nvisible to network intrusion detection   points that give visibility into the       and actual data streams to confirm\nsystems (IDS).                           network traffic ingressing and             that the ISS monitors are capable of\n                                         egressing the enclave.                     viewing VPN traffic.\n\n\n\n\n                                                                                   90\n\x0cEnclave Boundary Defense Confidentiality (EBDC)\n\nControl Objective EBDC-1                  Control Activity                          Test of Controls                          Test Results\nBoundary Defense - Boundary               Perimeter firewalls and intrusion         Implemented Securify monitoring           No Relevant Exceptions Noted\ndefense mechanisms to include             detection systems are implemented.        points at appropriate network nodes to\nfirewalls and network intrusion                                                     confirm the behavior of the traffic\ndetection systems (IDS) are deployed                                                consistent with firewall rules and\nat the enclave boundary to the wide                                                 behaviors. Observed that an intrusion\narea network, at layered or internal                                                detection system has been\nenclave boundaries and at key points                                                implemented.\nin the network, as required. All\nInternet access is proxied through\nInternet access points that are under\nthe management and control of the\nenclave and are isolated from other\nDoD information systems by physical\nor technical means.\n\nControl Objective EBDC-2                  Control Activity                          Test of Controls                          Test Results\nPublic WAN Connection -                   DoD information systems shall             Scanned the network diagrams for the      No Relevant Exceptions Noted\nConnections between DoD enclaves          regulate remote access and access to      presence of a DMZ with regards to\nand the Internet or other public or       the Internet by employing positive        traffic that may flow into commercial\ncommercial wide area networks             technical controls such as proxy          wide area networks (i.e. the internet).\nrequire a demilitarized zone (DMZ).       services and screened subnets, also\n                                          called demilitarized zones (DMZ), or      Implemented Securify monitoring\n                                          through systems that are isolated from    points at appropriate network nodes to\n                                          all other DoD information systems         view the network traffic flows and\n                                          through physical means.                   confirm the use of a DMZ\n\nControl Objective EBDC-3                  Control Activity                          Test of Controls                          Test Results\nRemote Access for Privileged              There is a remote dial-in router          Inspected the presence of remote          No Relevant Exceptions Noted\nFunctions - Remote access for             provided for Systems Administrators       access for privileged functions to\nprivileged functions is discouraged, is   which requires Secure Shell               confirm that remote access contain\npermitted only for compelling             restrictions. ESM is installed on a       security measures such as a complete\n\n\n\n                                                                                   91\n\x0coperational needs, and is strictly        some of these systems.                    audit trail and the presence of\ncontrolled. In addition to EBRU-1,                                                  additional security controls such as\nsessions employ security measures,                                                  VPN with blocking mode, strong\nsuch as a VPN with blocking mode                                                    encryption, strong passwords or other\nenabled. A complete audit trail of                                                  means of authentication are present\neach remote session is recorded, and                                                and operating.\nthe IAM/O reviews the log for every\nremote session.\n\nControl Objective EBDC-4                  Control Activity                          Test of Controls                         Test Results\nRemote Access for User Functions -        Remote access to the Internet is          Implemented Securify monitoring          Our testing noted that remote access\nAll remote access to DoD information      regulated by positive technical           points at appropriate network nodes to   is not authenticated via a DMZ.\nsystems, to include telework access, is   controls such as proxy services and       confirm appropriate strength             However, as a compensating control,\nmediated through a managed access         screened subnets, also called             encryption established in ECCT and       all authentication is performed via an\ncontrol point, such as a remote access    demilitarized zones (DMZ), or             to identify and document additional      approved security application, with a\nserver in a DMZ. Remote access            through systems that are isolated from    controls regarding internet address,     FIPS 140-2 compliant encryption\nalways uses encryption to protect the     all other DoD information systems         dial-up connection telephone numbers     algorithm with a secondary\nconfidentiality of the session. The       through physical means.                   etc.                                     authentication required by the\nsession level encryption equals or                                                                                           application.\nexceeds the robustness established in\nECCT. Authenticators are restricted\nto those that offer strong protection\nagainst spoofing. Information\nregarding remote access mechanisms\n(e.g., Internet address, dial-up\nconnection telephone number) is\nprotected.\n\n\n\n\n                                                                                   92\n\x0cPhysical and Environmental Availability (PEA)\n\nControl Objective PEA-1               Control Activity                        Test of Controls                         Test Results\nEnvironmental Controls -              The DISA DECC-ME has                    Inquired with Public Works that the      No Relevant Exceptions Noted\nAppropriate fire detection &          implemented fire detection and          DISA DECC-ME data center is\nsuppression, humidity, temperature,   suppression systems, humidity and       equipped with fire detection monitors,\nand emergency cut-off controls have   water monitors, temperature monitors    a fire suppression system, temperature\nbeen implemented and functioning      and emergency cut-off controls.         monitors, humidity monitors and an\nproperly                                                                      emergency cut-off switch. Observed\n                                                                              the data center to observe and confirm\n                                                                              the existence and operation of the\n                                                                              environmental controls.\n\n\n\n\n                                                                             93\n\x0cPhysical and Environmental Confidentiality (PEC)\n\nControl Objective PEC-1                   Control Activity                          Test of Controls                        Test Results\nClearing and Sanitizing - All             All documents, equipment, and             Observed the DISA DECC-ME hard          No exceptions noted\ndocuments, equipment, and machine-        machine-readable media containing         drive sanitizing procedures with the\nreadable media containing sensitive       sensitive data are cleared and            DISA DECC-ME Information\ndata are cleared and sanitized before     sanitized before being released, and      Assurance Manager.\nbeing released outside of the             sign off is required to certify the\nDepartment of Defense according to        destruction of such media.\nDoD 5200.1-R and ASD(C3I)\nMemorandum, dated June 4, 2001,\nsubject: "Disposition of Unclassified\nDoD Computer Hard Drives."\n\nControl Objective PEC-2                   Control Activity                          Test of Controls                        Test Results\nPhysical Protection of Facilities -       All DISA facilities at DISA DECC-         Observed the physical access controls   No Relevant Exceptions Noted\nEvery physical access point to            ME are locked at all times. Access is     in place at DISA DECC-ME to\nfacilities housing workstations that      restricted using proximity cards, with    determine that appropriate physical\nprocess or display sensitive              PIN technology, which are controlled      access restrictions are in place.\ninformation or unclassified               and issued by the Security Manager.\ninformation that has not been cleared\nfor release is controlled during\nworking hours and guarded or locked\nduring non-work hours.\n\nControl Objective PEC-3                   Control Activity                          Test of Controls                        Test Results\nPhysical Security Testing - A             The Naval Inventory Control Point         Inquired with Chief of Police, Naval    No Relevant Exceptions Noted\nfacility penetration testing process is   conducts periodic, unannounced            Inventory Control Point (NAVICP),\nin place that includes periodic,          penetration testing to confirm that       and Security Director \xe2\x80\x93 NAVICP, that\nunannounced attempts to penetrate         physical security is adequate.            at least once every 3 years, NAVICP\nkey computing facilities.                                                           is subjected to an unannounced\n                                                                                    penetration attempt by the Joint\n                                                                                    Chiefs Vulnerability Assessment\n\n\n\n                                                                                   94\n\x0c                                                                                  Team.\n\n                                        DISA DECC-ME\xe2\x80\x99s SSAA requires              Scanned the DISA DECC-ME System          No Relevant Exceptions Noted\n                                        the performance of physical security      Security Authorization Agreement\n                                        inspections by the Security Office.       (SSAA) to determine that section\n                                                                                  6.4.2 requires that physical security\n                                                                                  inspections be conducted by the\n                                                                                  Security Office as a component of\n                                                                                  Traditional Security.\n\nControl Objective PEC-4                 Control Activity                          Test of Controls                         Test Results\nWorkplace Security Procedures -         Procedures are in place to ensure that    Scanned the DISA DECC-ME SSAA            No Relevant Exceptions Noted\nProcedures are implemented to ensure    documents and electronic media are        Appendix J, System Rules of\nthe proper handling and storage of      stored in accordance with DoD             Behavior to determine that all\ninformation, such as end-of-day         standards.                                government owned property leaving\nsecurity checks, unannounced security                                             the data center building is inspected.\nchecks, and, where appropriate, the                                               Toured the data center facility and\nimposition of a two-person rule                                                   observed that access to storage areas\nwithin the computing facility.                                                    is controlled through the use of\n                                                                                  proximity cards, PINs, and closed\n                                                                                  circuit TV.\n\nControl Objective PEC-5                 Control Activity                          Test of Controls                         Test Results\nStorage - Documents and equipment       All documents and storage media are       Scanned the DISA DECC-ME SSAA            No Relevant Exceptions Noted\nare stored in approved containers or    stored in physically and                  to determine that the compute facility\nfacilities with maintenance and         environmentally secure containers.        of the data center building has been\naccountability procedures that comply                                             approved as a Collateral Classified\nwith DoD 5200.1-R.                                                                Storage Area up to the Secret level.\n                                                                                  Toured the data center facility and\n                                                                                  observed that access to storage areas\n                                                                                  is controlled through the use of\n                                                                                  proximity cards, PINs, and closed\n                                                                                  circuit TV.\n\n\n\n\n                                                                                 95\n\x0cControl Objective PEC-6                    Control Activity                          Test of Controls                          Test Results\nVisitor Control to Computing               The DISA DECC-ME SSAA requires            Scanned the DISA DECC-ME System           No Relevant Exceptions Noted\nFacilities - Current signed procedures     all uncleared personnel to be escorted    Security Authorization Agreement\nexist for controlling visitor access and   at all times while inside the DISA        (SSAA) to determine that it requires\nmaintaining a detailed log of all          DECC-ME (Building 308).                   that appropriately cleared personnel\nvisitors to the computing facility.                                                  must escort all uncleared personnel in\n                                                                                     the DISA DECC-ME.\n                                           All visitors to the DISA DECC-ME          Inspected the visitors sign-in at the     No Relevant Exceptions Noted\n                                           must sign-in and out with the guard       DISA DECC-ME determine that\n                                           on duty.                                  visitors are required to exchange their\n                                                                                     normal employee or visitor badges for\n                                                                                     special DISA DECC-ME badges and\n                                                                                     sign visitor\xe2\x80\x99s log.\n\n\n\n\n                                                                                    96\n\x0cPersonnel Availability (PA)\n\nControl Objective PA-1                  Control Activity                          Test of Controls                         Test Results\nSecurity Rules of Behavior or           The DISA DECC-ME SSAA includes            Scanned the DISA DECC-ME System          No Relevant Exceptions Noted\nAcceptable Use Policy - A set of        an Appendix J, System Rules of            Security Authorization Agreement\nrules that describe the IA operations   Behavior, which describes the IA          (SSAA), Appendix J, System Rules of\nof the DoD information system and       operations of the DoD information         Behavior to determine that it includes\nclearly delineate IA responsibilities   system and clearly delineates IA          a Systems Security Plan.\nand expected behavior of all            responsibilities and expected behavior\npersonnel is in place. The rules        of all personnel.\ninclude the consequences of\ninconsistent behavior or non-\ncompliance. Signed\nacknowledgement of the rules is a\ncondition of access.\n\n\n\n\n                                                                                 97\n\x0cPersonnel Integrity (PI)\n\nControl Objective PI-1                   Control Activity                           Test of Controls                         Test Results\nInformation Assurance Training A         The DECC ME SSAA includes an               Scanned training documentation           No Relevant Exceptions Noted\nprogram is implemented to ensure         Appendix J, System Rules of                provided by the DISA DECC-ME\nthat upon arrival and periodically       Behavior, which describes the IA           Security Officer to determine that\nthereafter, all personnel receive        operations of the DoD information          new employees go through security\ntraining and familiarization to          system and clearly delineates IA           awareness training their first day and\nperform their assigned IA                responsibilities and expected behavior     there is an annual refresher course.\nresponsibilities, to include             of all personnel.                          Scanned the DCPS SSAA to\nfamiliarization with their prescribed                                               determine that the Pensacola TSO has\nroles in all IA- related plans such as                                              created an online security training\nincident response, configuration                                                    awareness program that is required to\nmanagement and COOP or disaster                                                     be completed before a DCPS account.\nrecovery.\n                                         DECC ME has ongoing security               Scanned training documentation           No Relevant Exceptions Noted\n                                         awareness programs that include            provided by the DECC ME Security\n                                         initial training and periodic refresher    Officer to determine that new\n                                         training.                                  employees go through security\n                                                                                    awareness training their first day and\n                                                                                    there is an annual refresher course.\n\n\n\n\n                                                                                   98\n\x0cPersonnel Confidentiality (PC)\n\nControl Objective PC-1                      Control Activity                           Test of Controls                         Test Results\nAccesses to Information -                   The DISA DECC-ME SSAA requires             Selected a haphazard sample of           No Relevant Exceptions Noted\nIndividuals requiring access to             system users to be subjected to            employees with highly permissive\nsensitive information are processed         various levels of Personnel Security       access to the facilities at DISA\nfor access authorization in accordance      Investigations (PSI\xe2\x80\x99s) based on the        DECC-ME and inspected their\nwith DoD personnel security policies.       level of access or privileges they have    clearance levels in the Defense\n                                            within the systems. The higher the         Clearance Investigation Index with\n                                            level of access, the more stringent the    the DISA DECC-ME Security Officer\n                                            required investigation becomes. As a       to confirm that level security\n                                            minimum, all DISA DECC-ME                  clearance level is appropriate.\n                                            employees (military, civilian or\n                                            contractors) will have a SECRET\n                                            security clearance and a favorably\n                                            completed NAC.\n\nControl Objective PC-2                      Control Activity                           Test of Controls                         Test Results\nMaintenance Personnel -                     The DISA DECC-ME SSAA requires             Inquired with the DISA DECC-ME           No Relevant Exceptions Noted\nMaintenance is performed only by            that most maintenance and all              Security Officer and Information\nauthorized personnel. The processes         cleaning personnel are required to         Assurance Manager to determine that\nfor determining authorization and the       have at least a Secret clearance to        maintenance personnel are vetted just\nlist of authorized maintenance              work in building 308. If they do not       like any other employee or contractor.\npersonnel are documented.                   have the appropriate clearance they\n                                            will be escorted at all times.\n\n\nControl Objective PC-3                      Control Activity                           Test of Controls                         Test Results\n Access to Need-to-Know                     The DISA DECC-ME SSAA requires             Selected a haphazard sample of           No Relevant Exceptions Noted\nInformation - Only individuals who          that Access to all DoD information         employees with highly permissive\nhave a valid need-to-know that is           systems shall be based on a                access to the facilities at DISA\ndemonstrated by assigned official           demonstrated need-to-know, and             DECC-ME and inspected their\nGovernment duties and who satisfy           granted in                                 clearance levels in the Defense\nall personnel security criteria (e.g., IT   accordance with applicable laws and        Clearance Investigation Index with\n\n\n\n                                                                                      99\n\x0cposition sensitivity background          DoD 5200.2-R                             the DISA DECC-ME Security Officer\ninvestigation requirements outlined in   for background investigations, special   to confirm that level security\nDoD 5200.2-R) are granted access to      access and                               clearance level is appropriate.\ninformation with special protection      IT position designations and\nmeasures or restricted distribution as   requirements. An appropriate\nestablished by the information owner.    security clearance and non-disclosure\n                                         agreement are\n                                         also required for access to classified\n                                         information in\n                                         accordance with DoD 5200.1-R.\n\nVulnerability and Incident Management Availability (VIMA)\n\nControl Objective VIMA-1                 Control Activity                         Test of Controls                         Test Results\nVulnerability Management - A             Vulnerabilities are tracked in the       Scanned the most recent reports from     No Relevant Exceptions Noted\ncomprehensive vulnerability              Vulnerability Management System          the VMS that pertain specifically to\nmanagement process that includes the     (VMS) database. Prior to connection      DCPS and inspected the patch levels\nsystematic identification and            to the network, the SA must run a        to identify mitigation techniques.\nmitigation of software and hardware      VS08 report detailing Information        Implemented Securify monitoring\nvulnerabilities is in place. Wherever    Assurance Vulnerability Management       points at appropriate network nodes to\nsystem capabilities permit, mitigation   (IAVM) notices for the asset\'s           confirm STIG compliance with\nis independently validated through       operating system. All IAVM notices       vulnerability requirements. Scanned\ninspection and automated                 must be mitigated and applicable         recent SRR reports to confirm SRRs\nvulnerability assessment or state        patches loaded prior to connecting the   are performed.\nmanagement tools. Vulnerability          asset to the network. Once all the\nassessment tools have been acquired,     checklists have been applied from the\npersonnel have been appropriately        STIG and the vulnerability alerts have\ntrained, procedures have been            been installed, a security readiness\ndeveloped, and regular internal and      review (SRR) and an ISS scan will be\nexternal assessments are conducted.      conducted of the operating system.\nFor improved interoperability,           Security assessments that require a\npreference is given to tools that        scan will use the Internet Security\nexpress vulnerabilities in the           Scanner (ISS) and the FSO Full Scan\nCommon Vulnerabilities and               Policy. The scan will be conducted\nExposures (CVE) naming convention        using a direct connection from the\n\n\n\n                                                                              100\n\x0cand use the Open Vulnerability         system running ISS to the system\nAssessment Language (OVAL) to test     being assessed or the site is\nfor the presence of Vulnerabilities.   authorized to connect the asset to an\n                                       isolated network during the ISS scan.\n                                       Each site will place their self-\n                                       assessment in the Security Readiness\n                                       Review Database (SRRDB). If the\n                                       systems have a database, web server,\n                                       or any other software that has a STIG,\n                                       they must go through a FSO SRR and\n                                       the results put in the self-assessment\n                                       of the SRR database.\n\n\n\n\n                                                                            101\n\x0c102\n\x0cSection IV: Supplemental Information Provided by DFAS and\n                           DISA\n\n\n\n\n                           103\n\x0c104\n\x0cIV. Supplemental Information Provided by DFAS and DISA\n   Introduction\n\n   This section has been prepared by DFAS and DISA and is included to provide user\n   organizations with information DFAS and DISA believes will be of interest to such\n   organizations but which is not covered within the scope or control objectives\n   established for the SAS 70 review. Specifically included is a summary of procedures\n   that DFAS and DISA have put into place to enable recovery from a disaster affecting\n   the DFAS TSOPE and the DISA DECC at Mechanicsburg, PA.\n\n   This information has not been subjected to the procedures applied to the\n   examination of the description of controls presented in Sections II and III of this\n   report, and accordingly, the Office of Inspector General expresses no opinion\n   regarding the completeness and accuracy of this information.\n\n   TSOPE Specific Business Continuity Plans\n   The DCPS production support Continuity of Operations Plan (COOP) provides an\n   action plan to be implemented when there is a disaster or impending threat that would\n   render DCPS production support inoperable (e.g., hurricane, damage to TSOPE\n   facilities due to fire, etc.). This plan is evaluated and updated, accordingly, on an\n   annual basis. In the impending threat or event, production support control for the\n   DCPS production support is transferred to an alternate-processing site, currently\n   defined to be DAC Huntsville, AL. Contained in the detailed COOP are names of\n   DCPS staff members who will serve as a pool of resources to be mobilized to execute\n   the plan and a list of documentation and supplies that are necessary to support the\n   mobilized team.\n\n   Team members are comprised of DCPS development staff members across many\n   divisions and branches. TSOPE designates two members of the management team to\n   be responsible for COOP execution. One is mobilized with the team and is\n   responsible for team activities and communication with TSOPE while deployed to the\n   COOP recovery site. The other serves as the team\xe2\x80\x99s liaison at TSOPE and is\n   responsible to relay current status, current area weather conditions, and other\n   pertinent information to the mobilized team. The team is divided into two teams with\n   each covering a 12-hour shift. Team leaders are appointed for the respective shift\n   teams. Each step included in planning and executing the COOP is coordinated with\n   full cooperation and involvement by the DCPS project management staff. Although\n   this plan works for any type of disaster where production support becomes\n   inoperable, it has been executed several times in the past years during impending\n   disastrous weather, such as a hurricane.\n\n   DISA DECC-ME Business Continuity Plans\n   To accommodate a major disaster at any major DISA processing center, DISA has\n   established the DISA Continuity and Test Facility (DCTF) at Slidell, LA. This\n   facility is equipped with computational, DASD (Direct Access Storage Device), and\n   telecommunications resources sized to provide a fully functional host site with the\n   capacity to support a major disaster at any DISA processing center. The COOP\n   support agreement between DFAS as the customer and DISA as the provider of\n   processing system and communications services provides for restoring host site\n   processing in the event of a major disaster and the timely resolution of problems\n   during other disruptions that adversely affect DCPS processing. The plan, as it\n\n                                         105\n\x0crelates to DCPS, details data restoration procedures for the MZF OS/390 operating\nsystem, the DCPS IDMS database, and related mid-tier servers and communication\ndevices. Backup tapes containing the incremental daily and the complete weekly\nbackups are rotated off site to the DISA DECC Detachment at Chambersburg, PA for\nstorage on a predetermined schedule.\nThe Crisis Management Team (CMT) at DECC-ME is responsible for declaring a\ndisaster has occurred and initiate the BCP. The CMT will then activate the following\nresponse teams: Communications Team (COMT), Recovery Coordination Team\n(RCT), Site Recovery Team (SRT), and the Crisis Support Team (CST). Each team\nhas a specific set of responsibilities defined in the Business Continuity Plan. The\ncontact information for each individual on each team is also included in the Business\nContinuity Plan. The plan is required to be tested on an annual basis. TSOPE\npersonnel participate in the yearly COOP test to ensure that the process works\ncorrectly and documentation is updated appropriately.\n\nOn September 12, 2004, Hurricane Ivan caused damage to the DFAS payroll office at\nthe Pensacola Naval Air Station and the TSOPE facility at Saufley Field in Pensacola.\nAs a result, DFAS management implemented the COOPs for the payroll office and\nTSOPE operations. The implementation of COOP activities allowed DFAS to\nsuccessfully run civilian payroll for all of its customers on time from an alternative\noperating location. TSOPE returned to operation on September 24, 2004.\n\n\n\n\n                                      106\n\x0cAcronyms and Abbreviations\nACF2        Access Control Facility 2\nACL         Audit Command Language\nBMMP        Business Management Modernization Program\nBPH         Business Process Handbook\nC2M         Continuous Compliance Model\nCCB         Configuration Control Board\nCDA         Central Design Agency\nCM          Configuration Management\nCONUS       Continental United States\nCOOP        Continuity of Operations\nCOR         Contracting Officer Representative\nCOTS        Commercial Off The Shelf\nCRC         Cyclic Redundancy Check\nCSR         Customer Service Representatives\nDAA         Designated Approving Authority\nDAPS        Defense Automated Printing Service\nDCPS        Defense Civilian Pay System\nDECC        Defense Enterprise Computing Center\nDECC-ME     Defense Enterprise Computing Center - Mechanicsburg\nDFAS        Defense Finance and Accounting Service\nDFAS-HQ     Defense Finance and Accounting Service-Headquarters\nDISA        Defense Information Systems Agency\nDISN        Defense Information System Network\nDITSCAP     Department of Defense Information Technology Security Certification and\n            Accreditation Process\nDMZ         Demilitarized Zone\nDNS         Domain Name Server\nDoD         Department of Defense\nDoDFMR      Department of Defense Financial Management Regulations\nDoDI        Department of Defense Instruction\nDOE         Department of Energy\nDPAS        Defense Property Accountability System\nESCCB       Executive Software Change Control Board\nFFMIA       Federal Financial Management Improvement Act\nFISCAM      Federal Information Systems Controls Audit Manual\nFISMA       Federal information Security Management Act\nFSO         Field Security Operations\nGAGAS       Generally Accepted Government Auditing Standards\nGAO         General Accounting Office\nGOTS        Government - Off \xe2\x80\x93 The \xe2\x80\x93 Shelf - Application\n\n\n                                  107\n\x0cIA        Information Assurance\nIAM       Information Assurance Manager\nIAO       Information Assurance Officer\nIATF      Information Assurance Technical Framework\nIDS       Intrusion Detection System\nIG DOD    Inspector General Department of Defense\nIP        Internet Protocol\nISSO      Information Systems Security Officer\nIW        Information Warfare\nLAN       Local Area Network\nLES       Leave and Earnings Statements\nMAC       Mission Assurance Category\nMER       Master Employee Record\nNAC       National Agency Check\nNAVICP    Naval Inventory Control Point\nNES       Navy Enlisted System\nNIPRNET   Non-Classified Internet Protocol Router Network\nNIST      National Institute of Standards and Technology\nNSA       National Security Agency\nOIG       Office of the Inspector General\nOS        Operating System\nPKE       Public Key Enabling\nPKI       Public Key Infrastructure\nRFQ       Request for Quotation\nSAS       Statement on Auditing Standards\nSLA       Service Level Agreement\nSNA       Systems Network Architecture\nSOP       Standard Operating Procedure\nSOW       Statement of Work\nSRR       System Readiness Report\nSSAA      System Security Authorization Agreement\nSSO       System Support Office\nSTIGs     Security Technical Implementation Guidelines\nTASO      Terminal Area Security Officer\nTSO       Technology Services Organization\nTSOPE     Technology Services Engineering Organization in Pensacola\nVIS       Vendor Integrity Statement\n\n\n\n\n                                108\n\x0cReport Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nDirector, Program Analysis and Evaluation\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nCombatant Command\nInspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\nNational Security Agency\nDefense Finance and Accounting Service\nInspector General, Defense Information Systems Agency\nDirector, Defense Logistics Agency\nInspector General, US Joint Forces Command\n\nNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\nGeneral Accountability Office\n\nCongressional Committees and Subcommittees, Chairman and Ranking\nMinority Members\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\n\n\n\n\n                                          109\n\x0cHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\n  House Subcommittee on National Security, Emerging Threats, and International\n    Relations, Committee on Government Reform\n  House Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n    and the Census, Committee on Government Reform\n\n\n\n\n                                        110\n\x0cTeam Members\nThe Defense Financial Auditing Service, in conjunction with contract auditors from\nDeloitte and Touch\xc3\xa9 and Urbach Kahn and Werlin and the Technical Assessment Division\nof the Office of the Inspector General of the Department of Defense (IG DoD), prepared\nthis report. Personnel of the Quantitative Methods Division, IG DoD, also contributed to\nthe report.\n\x0c'